Recent Case Law Developments Concerning the HIPAA Privacy Rules
Over the past year, courts have found numerous occasions to interpret provisions of the privacy regulations issued pursuant to the Health Insurance Portability and Accountability Act of 1996 -1 (“HIPAA Privacy Rules” or “Privacy Rules”).-2 Not surprisingly, federal courts have been particularly active in applying the Privacy Rules in several different contexts, even where unwarranted.-3 Courts have weighed in on issues of preemption, sanctions against attorneys for HIPAA violations, and the application of Privacy Rules section 512(e).
I. HIPAA Privacy Basics. The Privacy Rules govern how “covered entities”-4 may use or disclose “protected health information”-5 (“PHI”). When covered entities retain service providers, such as outside counsel, to perform duties for the covered entity involving PHI, the service provider is a “business associate,”-6 contractually bound to use or disclose PHI only in performance of its duties. A covered entity “uses” PHI internally; a “disclosure” is made to an entity outside of the covered entity.
II. HIPAA Preemption. The HIPAA Privacy Rules create minimum standards for protecting the confidentiality of PHI. Under the preemption provisions in the Privacy Rules,-7 state law will apply where it is contrary-8 to the Privacy Rules, is privacy-related, and is “more stringent”-9 than HIPAA. While the Privacy Rules define “more stringent” in half a dozen different contexts, for purposes of our discussion, generally a state law is more stringent than HIPAA where state law prohibits a use or disclosure of PHI that HIPAA would permit, or where state law provides the individual with greater privacy protection.-10
III. Requirements of HIPAA Privacy Rules §512(e). Section 512(e) of the Privacy Rules establishes a procedure that covered entities must follow in order to disclose PHI in judicial or administrative proceedings. Covered entities are permitted (or required, in the case of a court order) to disclose PHI pursuant to: court order; notice to the individual (for subpoenas and discovery requests); or a qualified protective order (or QPO).-11
Subpoenas and discovery requests require that the requestor make “satisfactory assurance” to the covered entity that the requestor has made reasonable efforts to notify the individual that is the subject of the PHI.-12 Requestors must make a good faith attempt to provide written notice to the individual that his/her PHI will be disclosed.-13 The notice must provide sufficient information about the court case or other matter to allow the individual to object.-14 The requestor’s statement of “satisfactory assurance” must indicate that either the time for any objections has elapsed, or that the court or tribunal has resolved the objections to permit release of the requested PHI.-15 The Privacy Rules also permit the covered entity to provide notice to the individual to satisfy the notice requirement.-16
A qualified protective order under HIPAA is a court or administrative order, or an order issued pursuant to the parties’ stipulation, that prohibits the parties from using or disclosing the requested PHI for any purpose other than the litigation, and that requires the PHI to be returned to the covered entity, or destroyed, at the end of the litigation.-17 In order for a covered entity to be permitted to disclose PHI, the requestor must give “satisfactory assurance” to the covered entity that it has made reasonable efforts to secure a QPO.-18 The Privacy Rules also permit the covered entity to obtain a QPO.-19
IV. Case Law. Over the past year, courts have grappled with a few common themes, including preemption and the legal effect of Privacy Rules §512(e). Not surprisingly, federal courts show an increasingly sophisticated analysis of the Privacy Rules, while state courts struggle somewhat in determining how local laws fit with the Privacy Rules.
A. Preemption Issues; State Cases
A New Jersey court was the first recently to broach a preemption analysis. In re: PPA Litigation,-20 a class action products liability case, analyzed whether the New Jersey process, established by case law, for defense counsel to conduct ex parte informal interviews with plaintiffs’ treating physicians, was preempted by HIPAA. New Jersey permits ex parte interviews accompanied by an authorization from plaintiff. The superior court held that, because HIPAA does not expressly mention ex parte interviews, HIPAA does not prohibit the interviews. However, the court seemed to be undecided whether revision of the written authorization form would satisfy the Privacy Rules; at one point, the court stated that giving plaintiffs notice and opportunity to object before the interviews would allow the ex parte interview process to comply with HIPAA.-21 Clearly, PPA is a case where the court is struggling to understand the Privacy Rules and how they interplay with established state law.
Lemieux v. Tandem Health Care of Florida, Inc.-22 again involved defense counsel’s ex parte interviews of a plaintiff’s treating physicians. In Lemieux the HIPAA Privacy Rules did not apply to the trial court’s order permitting the interviews because the court’s order predated the compliance date for the Privacy Rules.-23 However, inapplicability of the Privacy Rules did not prevent the appellate court from performing an impromptu preemption analysis. The court stated that, while HIPAA’s procedural method of allowing disclosures (under section 512(e)) was more stringent than Florida law, Florida substantive law on disclosures-24 was stricter than the Privacy Rules. Therefore, the court stated, if the Privacy Rules had applied at the time of the trial court’s order, the result would have been the same, because Florida law would apply.-25
B. Preemption Issues; Federal Cases.
Five months after PPA was decided, a Maryland district court made another attempt at HIPAA preemption analysis in Law v. Zuckerman,-26 a medical malpractice case based on diversity jurisdiction. The issue in Law was whether HIPAA preempted the Maryland Confidentiality of Medical Records Act-27 to prohibit ex parte communications between defense counsel and plaintiff’s treating physician.
The Maryland statute required medical providers to disclose their patients’ medical records to providers, providers’ insurers, or providers’ legal counsel in medical malpractice matters.-28 Defense counsel used the Maryland statute as a rationale for conducting ex parte informal interviews with plaintiff’s treating physician, and the defense further posited that the physician’s disclosures of protected health information were “required by law” under HIPAA section 512(a). Nevertheless, the district court rejected the argument that the Maryland law was stricter than HIPAA and hence applicable. The court stated that because the Privacy Rules would permit providers to make such disclosures while the Maryland law required disclosure, the Privacy Rules were more protective of an individual’s rights, and therefore the Privacy Rules applied.-29
Law’s second holding is important as heralding the erosion of informal ex parte interviews with treating physicians: The Privacy Rules prohibit ex parte interviews with physicians, unless HIPAA is strictly complied with.-30 Because the HIPAA Privacy Rules only permit a covered entity to disclose PHI in judicial proceedings pursuant to section 512(e), and because 512(e) procedures are applicable to formal discovery, Law implies that ex parte interviews must be conducted in the formal discovery process. This holding is an obvious blow to defense counsel’s ability to obtain valuable healthcare information about plaintiffs without the cost and timeframes of the formal discovery process.
Finally, Law contains troubling dicta. In a footnote, the district court comments that a plaintiff’s inferred consent to disclosure of his/her PHI (such as by filing a medical malpractice action) does not satisfy HIPAA’s intended purpose.-31 This comment shows that federal courts incompletely understand the Privacy Rules, because the Privacy Rules permit healthcare providers to disclose patients’ PHI, without patient authorization, for purposes of healthcare operations, which includes legal proceedings.-32
The trend of federal courts eroding the informal ex parte physician interview was further explored in Crenshaw v. MONY Life Ins. Co. -33 Crenshaw was a suit against a disability insurer for ceasing to make disability payments. Defense counsel identified a physician, Dr. Harris, as a fact witness on defendant’s witness list. An associate of defense counsel, having overlooked the witness list, contacted Dr. Harris to evaluate whether the physician could be an expert defense witness. Twice over a period of weeks defense counsel’s associate asked Dr. Harris whether he had ever treated plaintiff; twice Dr. Harris denied it. Only after the associate obtained and reviewed Dr. Harris’s records did the associate realize, and Dr. Harris acknowledge, that Dr. Harris had in fact once treated plaintiff some years prior to the suit.
When plaintiff learned of the associate’s contact with Dr. Harris, he moved to disqualify defense counsel, arguing that the HIPAA Privacy Rules do not permit ex parte physician interviews and that disqualification was an appropriate sanction for the defense’s violation of HIPAA. After a long discussion, the district court agreed that the Privacy Rules do not permit such interviews, but declined to impose plaintiff’s requested sanction.
C. Legal Effect of Privacy Rules § 512(e).
Many of the cases decided over the past year involving HIPAA issues struggle with interpreting HIPAA §512(e); the most interesting cases arise out of the several federal constitutional challenges to the Partial Birth Abortion Act. Suits were filed in federal district courts in California, Nebraska, and New York by Planned Parenthood and the National Abortion Federation, alleging, among other things, that the Partial Birth Abortion Act was unconstitutional because it failed to include an exception to allow medical providers to perform the procedure to protect a woman’s health.-34
The Department of Justice served subpoenas on nonparty hospitals in 5 different states,-35 seeking to obtain the records of women receiving late term abortions, in order to dispel plaintiffs’ argument and discredit plaintiffs’ expert medical witnesses. Reported decisions stemming from the Illinois and New York subpoenas are of most interest.
In the Illinois district court decision, National Abortion Federation v. Ashcroft,-36 issued February 6, 2004, an Illinois nonparty hospital challenged an order of the district court in the New York litigation that required the hospital, pursuant to Privacy Rules §512(e), to disclose records of its patients that underwent late-term abortions. The New York judge’s order, however, required the Illinois hospital to redact all identifying information from the records prior to disclosure.
The basis for the Illinois hospital’s challenge was that the records were privileged from release under Illinois law,-37 which prohibited disclosure of medical information, even in response to subpoena, unless one of 11 conditions existed. The Illinois statute applied even if the patients’ names and identification numbers were removed from the records. The hospital argued that the Illinois record privilege law applied because it was more stringent than HIPAA.
The Illinois district court agreed, stating that “Illinois’ privacy protections are activated only through HIPAA’s anti-preemption provision,” and that state law was consequently incorporated into federal law (HIPAA). We therefore have the unusual result of a federal district court applying state privilege law in a federal suit based on federal question jurisdiction. Additionally, the Illinois federal court held that HIPAA, and not the Federal Rules of Evidence 501, control the protections provided to patient medical records held by hospitals.
About six weeks later, the New York federal district court rejected this same argument from a New York nonparty hospital.-38 There, the court had issued an order to the nonparty hospital “authorizing” the hospital to produce patient records, thereby leaving a loophole for the hospital to challenge the order. The parties to the suit, the National Abortion Federation and the government, stipulated to the court issuing a protective order that appears to have satisfied the requirements of HIPAA §512(e).-39 The hospital, however, contended that the protective order was insufficient under HIPAA, because HIPAA incorporated more-stringent New York State law requiring patient consent before disclosure of the records.
Recalling that the litigation was based on federal question jurisdiction, the New York district court decided that the legal effect of HIPAA preemption was that state law continues to operate in its “sphere of influence,” in other words, at the state level, and that more-stringent state law is not made federal via incorporation into HIPAA. Finally, the New York court held that the HIPAA Privacy Rule §512(e), and not Federal Rule of Evidence 501, controls the enforceability of subpoenas requesting the disclosure of protected health information.
A final case in this line is the 7th Circuit’s decision on the Illinois subpoena, Northwestern Memorial Hospital v. Ashcroft.-40 In a long opinion eloquently reasoned by Judge Posner, the 7th Circuit recognized that §512(e) of the HIPAA Privacy Rules merely “create[s] a procedure for obtaining authority to use medical records in litigation,”-41 but conceded that whether medical records are admissible or privileged is yet another analysis. The Privacy Rules do not impose state evidentiary privileges on federal-question suits, stated Judge Posner, and echoed the New York district court in stating that more-stringent state privacy laws will apply in state court lawsuits and in federal suits where state law applies (such as in diversity cases).
D. Sanctions Against Attorneys.
Finally, a new and troubling line of authority is the imposition of judicial sanctions against litigation counsel for failing to comport with the HIPAA Privacy Rules. The Privacy Rules contain civil penalties applicable to covered entities (health care providers, health plans, and healthcare clearinghouses) that fail to comply with the Rules; HHS will impose these penalties only if voluntary compliance efforts fail.-42 Significantly, the Privacy Rules contain no penalties, civil or criminal, to be imposed on non-covered entity parties that violate provisions of the Privacy Rules. However, this has not prevented courts from fashioning sanctions against counsel who ignore the Privacy Rules in litigation.
Sanctions were contemplated but ultimately rejected by the Maryland district court in Law v. Zuckerman. In evaluating whether sanctions should be imposed upon defense counsel, the court noted that HIPAA contained civil penalties that were mild but which did not refer to how a court should treat a HIPAA violation during discovery or trial. The Maryland court praised defense counsel for attempting to perform a comparison of Maryland law and HIPAA, and states that its order partially ameliorated the effect of the wrongful ex parte interview. The court also noted that it initially ruled that HIPAA did not apply to the case. However, reading the decision gives one a strong sense that the court was embarrassed by its initial ruling, and could not find the heart to penalize defense counsel after advising that HIPAA did not apply.
Unfortunately, the court in Crenshaw v. MONY was not so reserved. Although plaintiff’s counsel requested that defense counsel be disqualified, the California district court rejected that sanction, instead deciding to impose deposition-related costs upon defense counsel for what was, at best, a sloppy mistake.-43
While defense counsel representing health plans or insurers must familiarize themselves with the HIPAA Privacy Rules, so should any attorney who deals with medical information that could be protected health information under the Privacy Rules. As the cases point out, failure to do so could result in painful sanctions against counsel and client.
1- Public Law 104-191, 42 U.S.C. 1320d-1 et seq.
2-The HIPAA Privacy Rules are codified at 45 C.F.R. Parts 160 and 164.
3-See Hutton v. City of Martinez, 219 F.R.D. 164 (N.D. Cal. 2003), where the court applied HIPAA to city and to workers’ compensation carrier, despite the fact that the Privacy Rules by their terms do not apply to those entities.
4- A “covered entity” under HIPAA is a health plan, health care provider, or health care clearinghouse. See 45 C.F.R. §160.103.
5- “Protected Health Information” is individually identifiable health information transmitted or maintained in any form (with some exceptions). “Individually Identifiable Health Information” is information (including demographic information collected from an individual) that (1) is created or received by a health care provider, health plan, employer, or health care clearinghouse; and (2) relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (i) That identifies the individual; or (ii) With respect to which there is a reasonable basis to believe the information can be used to identify the individual.” 45 C.F.R. §160.103.
6- “Business associate” is an entity that performs duties for a covered entity (other than the covered entity’s employee), where the business associate creates or receives PHI on behalf of the covered entity. 45 C.F.R. §160.103.
7- 45 C.F.R. §160.201 – 160.203.
8- “Contrary” essentially means that it is impossible to comply with both federal and state law. 45 C.F.R. §160.202.
9- “More stringent” is defined in 45 C.F.R. §160.202.
10- To date, no case in Wisconsin has reviewed whether Wisconsin law is stricter than the HIPAA Privacy Rules. However, a collaborative workgroup, the HIPAA Collaborative of Wisconsin (“HIPAA COW”), has performed a preemption analysis on several Wisconsin statutes and regulations, including Wis. Stats. §§ 51.30, 146.50, 146.81, 146.82, Ch. 252, and 610.70, among others. The HIPAA COW preemption charts may be found at the following link: http://hipaacow.org/home/PrivacyDocs.aspx .
11- 45 C.F.R. §164.512(e)(1)(i), (1)(ii), and (1)(v), respectively.
12- 45 C.F.R. §164.512(e)(1)(ii)(A).
13- Id. at 512(e)(1)(iii)(A).
14- Id. at 512(e)(1)(iii)(B).
15- Id. at 512(e)(1)(iii)(C)(1) and (2).
16- Id. at 512(e)(1)(vi).
17- Id. at 512(e)(1)(v).
18- Id. at 512(e)(1)(ii)(B) and (iv)(A) and (B).
19- Id. at 512(e)(1)(vi).
20- 2003 WL 22203734 (N.J. Super. L. 9/23/03)(unpublished).
21- 2003 WL 22203734 at 15.
22- 862 So.2d 745 (Fla. App. 2nd Dist. 2003).
23- Generally, the compliance date for the Privacy Rules is April 14, 2003. See 45 C.F.R. §164.534.
24- Fla. Stats. Sec. 456.057(6).
25-862 So.2d at 748 footnote 1.
26-307 F.Supp.2d 705 (D. Md. 2/27/04)(diversity case).
27-Md. Code Ann. Health-Gen I §4-306(b)(3).
29-307 F. Supp.2d at 709.
30-Id. at 711.
31-Id. at footnote 1.
32-See 45 C.F.R. §§160.103; 164.502(a)(1)(ii).
33-318 F. Supp. 1015 (S.D. Cal. 2004).
34- A similar law without such an exception was struck down in Stenberg v. Carhart, 530 U.S. 914 (2000).
35- California, Illinois, Michigan, New York, and Pennsylvania.
36- 2004 WL 292079 (N.D. Ill. 2004).
37- 735 ILCS 5/8-802.
38- National Abortion Federation v. Ashcroft, 2004 WL 555701 (S.D.N.Y. 2004), issued March 19, 2004.
39- The protective order required the hospital to redact from the records all identifying material; it permitted use of the health information only for the litigation; and required the parties to return or destroy the records, including any copies, within 60 days of the resolution of the case. 2004 WL 555701 at 2.
40- 362 F.3d 923 (7th Cir. 2004).
41- 362 F.3d at 926.
42- See 45 C.F.R. §§160.304 and 160.508.
43- The Crenshaw court decided that defendant had to produce the physician for deposition at its expense, and that the defendant was financially responsible for: physician’s expert witness fee; court reporter fees; and plaintiff’s attorney’s fees for taking the physician’s deposition (not to exceed 3 hours).