INTRODUCTION I. PRIOR LAW: A. The HIPAA Privacy Rule B. Suppression C. Prior Cases Addressing the Applicability of Suppression to HIPAA Violations II. IN RE MIGUEL M A. Background B. Trial Court Ruling C. Second Department Decision D. Court of Appeals Decision III. ANALYSIS A. Criminal Trials B. Civil Trials C. Administrative Hearings IV. CONCLUSION INTRODUCTION
Since the implementation of the Health Insurance Portability and Accountability Act Privacy Rule (1) ("HIPAA Privacy Rule") in 2000, attorneys and courts have been scrambling to determine its impact on the admissibility of various types of medical evidence. This is particularly the case where parties have obtained medical evidence without a HIPAA authorization form which they seek to introduce in court. In New York, most courts have avoided addressing such HIPAA violations by falling back on the physician-patient privilege. (2) Of the handful of New York's lower courts which have addressed the issue, most have followed the majority opinion of other states, finding suppression for violations to be inappropriate. (3)
On May 19, 2011, New York's highest court reached a different conclusion. (4) In the case In re Miguel M., after a party introduced medical records it had obtained from hospitals without the patient's authorization in a hearing to compel that patient to receive assisted outpatient treatment, the Court of Appeals found those records should have been suppressed. While the Court of Appeals found suppression appropriate for the HIPAA violations in Miguel M., it provided scant analysis of the issue and limited its decision to the facts of the case. Accordingly, Miguel M. should not be construed as creating a bright line rule of evidence prohibiting all evidence obtained without the requisite HIPAA authorization. It is, however, the first decision by the Court of Appeals on the issue, and necessarily will be looked to as precedent. This Article puts Miguel M. into the context of pre-existing caselaw and suggests how it can be used as guidance in determining whether suppression is appropriate in various types of cases.
Part I of this Article explains the requirements of the HIPAA Privacy Rule, provides a background on suppression of evidence, and reviews the prior cases which have addressed whether suppression is an appropriate remedy for HIPAA violations. Part II describes the trial court, appellate court, and Court of Appeals decisions in Miguel M. The Court of Appeals decision is then analyzed in Part III, which also proposes how the holding of the case should be applied in civil, criminal, and administrative hearings. Finally, this Article concludes that In re Miguel M. should be narrowly applied and should not create a new rule of evidence dictating that evidence obtained in violation of HIPAA be per se inadmissible in New York courts.
The HIPAA Privacy Rule
In 1996, the legislature enacted the Health Insurance Portability and Accountability Act (HIPAA). (5) HIPAA's stated purpose is "to improve the Medicare program under title XVIII of the Social Security Act, the Medicaid program under title XIX of such Act, and the efficiency and effectiveness of the health care system, by encouraging the development of a health information system through the establishment of standards and requirements for the electronic transmission of certain health information." (6) Indeed, one of the Parts added to the United States Code under HIPAA is titled "Administrative Simplification." (7) Prior to HIPAA's enactment healthcare providers and insurance companies had to follow a complex patchwork of privacy laws that differed from state to state. (8) In order to accomplish its goal of administrative simplification, the Secretary of the united States Department of Health and Human Services ("HHS") created "a national framework for health privacy protection" (9) which has become known as the HIPAA "Privacy Rule." (10)
Under the Privacy Rule, in most circumstances a "covered entity" may not disclose "protected health information" without an "authorization." (11) Protected health information ("PHI") includes information created or received by healthcare providers relating to the physical or mental health of a patient or the provision of healthcare to a patient, which could be used to identify the patient. (12) A patient's oral statements to covered entities are included in this definition. (13) Authorizations are not required for the release of PHI when the information is requested through a court or administrative order, (14) nor are they required to respond to a subpoena, discovery request, or other lawful process if the covered entity has received satisfactory assurances that the party seeking disclosure has made reasonable efforts to ensure that the patient has been given notice of the request or has made reasonable efforts to secure a qualified protective order from a court or administrative tribunal. (15) The Privacy Rule contains additional exceptions to the authorization requirement, including: disclosures required by law; (16) disclosures to public health authorities for preventing or controlling disease, injury or disability, and for the conduct of public health surveillance, public health investigations, and public health interventions; (17) disclosures to health oversight agencies for oversight activities authorized by law; (18) and disclosures to avert a serious threat to health or safety to persons reasonably able to prevent or lessen the threat. (19)
In general, the Privacy Rule expressly preempts any contrary provisions in state law. (20) However, state law is not preempted when the Secretary of Health has determined that it is necessary to prevent fraud related to the provision of or payment for health care; to ensure appropriate state regulation of insurance or health plans; for the reporting on health care delivery and costs; or for purposes of serving a compelling need related to public health or safety. (21) In addition, state law is not preempted where its privacy provisions are more stringent than those imposed by the Privacy Rule. (22) Nor is state law preempted where it establishes procedures for the reporting of disease or injury for the conduct of public health surveillance, investigation, or intervention. (23)
HIPAA expressly provides for remedies in the event of a violation. Remedies include civil penalties ranging from $100 to $50,000, the amount depending on the mental state of the violator (unknowing versus willful neglect) and whether the violation has been corrected. (24) Intentional violations of HIPAA can also lead to criminal penalties of up to $250,000 in fines and up to ten years imprisonment. (25) In contrast to other federal legislation addressing privacy concerns, (26) HIPAA does not provide for the suppression of evidence obtained in violation of its provisions. Following queries regarding the use of suppression as a remedy, the Secretary responded: "We do not have the authority to mandate that courts apply or not apply the exclusionary rule to evidence obtained in violation of the regulation. This issue is in the purview of the courts." (27)
In New York, "absent some constitutional, statutory, or decisional authority mandating the suppression of otherwise valid evidence, such evidence will be admissible" (28) even if procured by "unethical or unlawful means." (29) Courts have applied this rule in several types of proceedings. For example, in Radder v. CSX Transportation, Inc., a personal injury action, the Fourth Department of New York's Appellate Division (30) declined to suppress evidence which had been obtained by virtue of a violation of former DR 7-104 of New York's Code of Professional Responsibility (which prohibited lawyers from communicating with an individual on the subject of the representation with a party the lawyer knows to be represented by a lawyer), noting "[h]ere, there is no constitutional, statutory or case law authority mandating the suppression of Pauley's otherwise valid testimony. ..." (31) Similarly, in Matter of Quadon H., a juvenile delinquency proceeding, where the defendant's fingerprints were matched to fingerprints in the police database, which should have been destroyed pursuant to Family Court Act [section] 354.1, the Second Department of New York's Appellate Division declined to suppress the defendant's inculpatory statements that would not have been obtained but for the fingerprint match. (32) In so finding, the court reasoned that "the right conferred on the respondent pursuant to Family Court Act [section] 354.1 to have his fingerprints destroyed does not implicate fundamental constitutional interests or considerations. Hence, the violation of Family Court Act [section] 354.1, 'does not, without, more, justify suppressing of evidence to which that violation leads.'" (33) The New York Court of Appeals used the same reasoning in Charles Q. v. Constantine, where the records from an officer's criminal proceeding, which should have been sealed pursuant to section 160.50 of the New York Criminal Procedure Law ("CPL"), were erroneously used in the officer's disciplinary proceeding. (34) The Court noted a prior decision in which it found that violations of CPL [section] 160.50 do not implicate constitutional considerations and would not require suppression in a criminal proceeding. (35) Thus, the Court reasoned, "[h]aving concluded that evidence obtained in violation of a CPL 160.50 sealing order need not be suppressed in a criminal proceeding, we discern no basis for excluding from a disciplinary hearing evidence obtained through an erroneous unsealing order." (36)
In terms of HIPAA violations, as previously mentioned HIPAA itself provides no authority for suppression, (37) and the only statute that can serve as a basis for suppression is limited to specific situations in civil trials. Since 2003, section 3122(a) of New York's Civil Procedure Law and...