South Carolina Lawyer
SC Lawyer, March 2008, #2.
HIPAA: A Road Map to Disclosure
South Carolina LawyerMarch 2008HIPAA: A Road Map to DisclosureBy Kelly Jolley and Jane TrinkleyThe calls always come in late on a Friday afternoon: (1) in a workers' compensation action, a construction company is refusing to hand over employee records containing medical information; (2) a family practice physician is in a panic because a suspected child abuser has requested the medical records for his child in an attempt, the physician believes, to locate the child and his mother; (3) in a wrongful death action, the nursing home that has been sued wants to know if it can use the decedent's medical records in support of the facility's motion for summary judgment; (4) in a breach of contract suit, a surgeon, too ill to attend his noticed deposition, wants to know if he can refuse to turn over his own medical records to the opposing party who demands proof of the alleged illness.
Each of these cases is impacted by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub. L. No. 104-191 (August 21, 1996), codified at 42 U.S.C. § 1320d-1320d-8, and its resulting privacy regulations. Each query represents an attempt to use HIPAA's Privacy Rules as either a shield or a sword in regard to the disclosure of sensitive health information. The Privacy Rules, however, function more as a road map than a weapon.
I. Brief legislative and regulatory history In addition to mandating health insurance portability and enhancing the federal government's fraud and abuse prosecutorial powers, HIPAA includes "Administrative Simplification" provisions requiring the U.S. Department of Health and Human Services (DHHS) to adopt national standards for the electronic exchange of health information in financial and administrative "Standard Transactions." See HIPAA §§ 261-264; 42 U.S.C. § 1320d-2;Standards for Electronic Transactions and Data Code Sets, 65 Fed. Reg. 50312 (Aug. 17, 2000), codified at 45 C.F.R. Parts 160 and 162.
Realizing that storing and transferring health information in a standard electronic format would increase the potential for individuals to access, use and disclose personal and sensitive information, Congress also required DHHS to issue regulations regarding the privacy and security of health information. HIPAA § 264. DHHS published the final privacy regulations (Privacy Rules) on December 29, 2000. The Privacy Rules were modified on August 14, 2002, and became effective for most entities on April 14, 2003. 45 C.F.R. § 164.534.
II. When does HIPAA apply? Despite the widespread use of the "HIPAA won't let me give this information to you" defense in all manner of legal disputes, the Privacy Rules only apply to "Covered Entities" and "Business Associates" as defined by the Rules. 45 C.F.R. § 160.103. Covered entities include (1) health care providers-essentially all physicians, hospitals and clinics-who transmit health information in electronic form in a transaction for which DHHS has adopted a HIPAA standard; (2) health plans, whether individual or group plans, that provide or pay the cost of health care, including health insurers, managed care organizations and government organizations such as Medicare, Medicaid and the Veterans Health Administration; and (3) health care clearinghouses, whether public or private, that translate non-standard data into standard transactions, such as billing companies. Id.
The HIPAA Privacy Rules may also apply to non-employee business associates of covered entities; these associates may include lawyers, accountants, billing companies and other contractors who receive protected health information (PHI) from the covered entity as a necessary part of the relationship between the covered entity and the business associate. Id. The Privacy Rules allow a covered entity to disclose PHI to the business associate so long as the covered entity receives satisfactory written assurance from the business associate that the business associate will (1) use the information only for the purpose for which the covered entity engaged the business associate, (2) protect the information from misuse and unauthorized disclosure and (3) assist the covered entity in its performance of its obligations under the Privacy Rules. § 164.504(e).
The Privacy Rules do not apply to many individuals or entities that regularly have access to, maintain or disclose individual health information: (1) employers, unless they operate a self-insured health plan; (2) auto insurers and life insurers; (3) public agencies that deliver welfare and social security benefits; (4) former spouses, (5) feuding business partners and (5) other individuals or entities with access to an individual's personal health information unless they meet one of the above categories of covered entities or are business associates of a covered entity.
III. What information is protected? The HIPAA Privacy...