SC Lawyer, July 2003, #4. Jumping the hurdles of the HIPAA Privacy Rule.

• Author: By Ashley B. Abel and Robert M. Wood

South Carolina Lawyer

2003.

SC Lawyer, July 2003, #4.

Jumping the hurdles of the HIPAA Privacy Rule

South Carolina LawyerJuly 2003Jumping the hurdles of the HIPAA Privacy RuleBy Ashley B. Abel and Robert M. WoodIf your law practice involves the routine use of medical records in the prosecution or defense of litigation, around April of this year you may have noticed a change in attitude among many recipients of your standard medical record subpoena duces tecum. Welcome to the new world of the HIPAA Privacy Rule.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is perhaps best known for its employee health insurance "portability" features that took effect soon after passage by Congress. The privacy, security and standardization requirements of HIPAA became effective for most "covered entities" on April 14 of this year in the form of regulations issued by the U.S. Department of Health and Human Services (HHS). The title of the new regulations is "Standards for Privacy of Individually Identifiable Health Information," more commonly known, collectively, as the Privacy Rule. These regulations have a direct, far-reaching and often misunderstood impact on the way most entities within the health care system conduct their most basic daily business activities. Readers may obtain a copy of the rule from the HHS Web site at aspe.hhs.gov/adminsimp.

Because the whole point of these regulations is to maintain the privacy of "protected health information" (PHI), the Privacy Rule inevitably impacts entities outside the health care system as well - lawyers for instance. Many covered entities such as hospitals, pharmacies and physicians suddenly have begun responding to records subpoenas with vague references to regulatory provisions completely unfamiliar to many members of the Bar. This article will provide legal practitioners with basic background information regarding the pertinent provisions of the Privacy Rule, a review of the rule's impact on routine discovery practices and suggestions for practitioners to this significant development in all litigation that involves the acquisition and/or use of medical records.

Pertinent HIPAA Provisions

Congress, in passing HIPAA, set for itself a three-year deadline for enacting subsequent comprehensive legislation for protecting the privacy of PHI collected and transmitted under HIPAA's data standardization rules. As Congress failed to enact such legislation by August 1999, the Act automatically authorized - in fact, mandated - the promulgation of privacy regulations by HHS, an agency somewhat foreign to the regulation of health benefits and benefit claims.

The Department issued the "final" Privacy Rule in December 2000 and a modified final rule on August 14, 2002. The modifications were meant to address certain "unintended negative effects of the Privacy Rule on health care quality or access to health care" and to provide relief for certain "unintended administrative burdens." The provisions of the Privacy Rule were effective, for most covered entities, as of April 14, 2003.

As with many employment-related federal laws, analysis of fundamental terms is essential. If the entity from which a lawyer is seeking medical information is not a "covered entity," it will almost always indicate you are not seeking PHI protected by HIPAA. If not protected by HIPAA or other law, the disclosure should follow prior practice.

In general, the Privacy Rule applies to three categories of entities: health plans, health care clearinghouses and certain health care providers. HHS has expressly stated that it has no jurisdiction over employers acting in that capacity. The focus is on how the medical information was obtained, not on the fact that it is medical information, in determining whether the source of the information sought is a "covered entity." It is also important to...