I.
INTRODUCTION
The Health Insurance Portability and Accountability Act of 1996' (hereinafter 'HIPAA') was enacted by Congress to 'improve portability and continuity of health insurance coverage in the group and individual markets.'2 To achieve this end, Congress enacted Subtitle F of Title II of HIPAA, which is entitled 'Administrative Simplification.'3 The 'Administrative Simplification' provisions require the implementation of standards by the secretary of Health and Human Services (hereinafter 'the secretary') to facilitate the electronic transmission of health information.4 The 'covered entities' required to comply with these regulations include health plans, health care clearinghouses, and health care providers.5
The enactment of HIPAA has materially changed the way that medical records are treated during litigation involving claims of personal injury or wrongful death. The purpose of this article is to briefly define the regulatory framework, and then analyze the published cases concerning the application of HIPAA to medical records in litigation involving personal injury allegations.
Section 1320d-2 of HIPPA states the following:
(a) Standards to enable electronic exchange.
(1) In general. The secretary shall adopt standards for transactions, and data elements for such transactions, to enable health information to be exchanged electronically . . . .6
A plain reading of the statute suggests that Congress provided the secretary with the authority to promulgate regulations concerning 'electronically' exchanged health information only. The secretary nevertheless established regulations governing the disclosure, privacy, and protection of medical information existing in both electronic and non-electronic form.7 These regulations can be found in Title 45 of the Code of Federal Regulations, Parts 160 and 164, and are referred to as the 'Privacy Rules.' The Privacy Rules provide the circumstances under which a 'covered entity' may disclose 'protected health information.'
'Protected health information,' as defined by the Secretary, concerns health information that is individually identifiable.8 'Health information that does not identify an individual and with respect to which there is no reasonable basis to believe that the information can be used to identify an individual' is not 'protected health information' and therefore does not fall under the auspices of the Privacy Rules.9
The Secretary's authority to promulgate regulations concerning the privacy of health records that do not exist in electronic form has been challenged unsuccessfully.10 The Fourth Circuit Court of Appeals and a Texas federal trial court have determined that since the definition of 'Health Information,' as provided by Congress in Section 1320d-1, includes information ''whether oral or recorded in any form or medium,'' the Secretary is empowered to regulate the privacy of medical records that exist in either electronic or non-electronic form.11 The district court in Association of American Physicians & Surgeons reasoned that 'regulating non-electronic as well as electronic transmissions of health information effectuates HIPA A's intent to promote the computerization of medical information and to protect the confidentiality of this health information.'12 The court also wrote that, '[t]herefore, even if HIPAA did not expressly allow [the Secretary] to regulate the transmission of non-electronic as well as electronic health information, the provisions of the Privacy Rule promulgated by [the secretary] are reasonably related to the purpose of HIPAA, the enabling legislation, and should be sustained.'13
The Fourth Circuit held that Congress did not unconstitutionally delegate legislative power to the secretary and that the HIPAA preemption provisions are not impermissibly vague under the Due Process Clause of the Fifth Amendment.14 Further, a challenge to the validity of HIPAA under the First, Fourth, and Tenth Amendments also has failed.15
II.
OVERVIEW OF THE 'PRIVACY RULES'
In general, the Privacy Rules provide that a 'covered entity' may disclose protected health information to the patient,16 in compliance with a HIPAA compliant authorization,17 for the treatment, payment, or management of health care operations,18 and pursuant to an agreement between the covered entity and the patient.19 The Privacy Rules also permit disclosure of otherwise protected health information in the context of judicial and administrative proceedings.20
With regard to the latter, disclosure specifically is permitted in response to a court order.21 Further, disclosure is permitted in response to a 'subpoena, discovery request, or other lawful process' if either the 'covered entity receives satisfactory assurance . . . that reasonable efforts have been made by such party to ensure that the individual who is the subject of the protected health information that has been requested has been given notice of the request' or 'the covered entity receives satisfactory assurance . . . that reasonable efforts have been made ... to secure a qualified protective order.'22 In short, without a court order, the HIPAA regulations require a party to a litigation seeking protected health information to choose between providing the covered entity with proof of 'notice' to the patients at issue that the information has been requested, or seeking a 'qualified protective order.'23
The regulations provide that a 'covered entity' receives 'satisfactory assurances' that the patients affected by the disclosure of the health information have notice when the covered entity receives a 'written statement and accompanying documentation' that demonstrates the following:
(A) The party requesting such information has made a good faith attempt to provide written notice to the individual (or, if the individual's location is unknown, has mailed a notice to the individual's last known address);
(B) The notice included sufficient information about the litigation or proceeding in which the protected health information is requested to permit the individual to raise an objection to the court or administrative tribunal; and
(C) The time for the individual to raise objections to the court or administrative tribunal has elapsed, and:
(1) No objections were filed; or
(2) All objections filed by the individual have been resolved by the court or the administrative tribunal, and the disclosures being sought are consistent with such resolution.24
The Privacy Rules also provide that a covered entity 'receives satisfactory assurance' that reasonable efforts have been made to secure a qualified protective order if:
(A) The parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute; or
(B) The party seeking the protected health information has requested a qualified protective order from such court or administrative tribunal.25
A 'qualified protective order' is defined in the Privacy Rules as an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that:
(A) Prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and
(B) Requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding.26
The Privacy Rules also permit disclosure for law enforcement purposes in compliance with a court-ordered warrant, a subpoena or summons issued by a judicial officer, a grandjury subpoena, or an administrative request, such as an administrative subpoena or summons, and a civil or an authorized investigative demand.27
There is no federal physician-patient privilege, either by statute or at common law.28 Further, in general, the federal courts have not recognized a constitutional right to privacy in one's medical records.29 Rather, Congress primarily has left it to the states to determine the level of privacy afforded to medical information maintained by health care entities.30 The HIPAA Privacy Rules therefore could potentially protect a patient's medical records in federal question cases when that protection otherwise would not occur.31 Although a number of states have enacted legislation protecting patients' medical information,32 the HIPAA regulations impact the discovery of health information in state court litigation, as well as in federal courts applying state law, because of the HIPAA preemption provision.33 Specifically, a state privacy statute is preempted by HIPAA unless 'the provision of State law relates to the privacy of individually identifiable health information and is more stringent than a standard, requirement, or implementation specification' of the Privacy Rules.34
Covered entities were not required to comply with the secretary's regulations until April 13, 2003.35 Despite this compliance date, some courts required that covered entities, when disclosing health information, comply with the Privacy Rules on grounds that the privacy regulations manifested a strong federal policy towards protecting the privacy of a patient's medical records.36 One court, however, when presented with the issue of whether a criminal defendant's medical records should be suppressed because the disclosure of these records to law enforcement personnel did not accord with the secretary's regulations, would not ground its decision on the Privacy Rules because the disclosure was done in the 'pre-enforcement stage.' The court reasoned that such disclosure would risk an impermissible advisory opinion by the court.37
Although HIPAA does not create a private right of action,38 'covered entities' that were not parties to the litigation have refused to disclose health information in that litigation, fearing penalties for impermissible disclosure either under state laws or HIPAA.39 Given these circumstances, courts thus far have been willing to craft protective orders requiring disclosure of pertinent health records to the parties involved in litigation while simultaneously ensuring that the privacy rights of non-parties are protected in accord with the Privacy Rules.40
Some parties to litigation also have objected to the scope of health information disclosure under the HIPAA Privacy Rules.41 In these cases, the courts have been unwilling to permit a litigant to use the protections afforded by the Privacy Rules as a shield to deny adversaries access to health information that is relevant to the litigation.
III.
IMPACT OF HIPAA's PRIVACY RULES ON DISCOVERY OR DURING LITIGATION
Turning now to the extant cases concerning the scope and effect of HIPAA regulations on the collection of medical records in litigation, the following cases are relevant as of this writing. In National Abortion Federation v. Ashcroft,42 a lawsuit was commenced by a 'professional organization of abortion providers' and seven physicians in the Southern District of New York challenging the constitutionality of the Partial Birth Abortion Ban Act of 2003 ('PBABA'). PBABA prohibits certain late-term abortion procedures. One of the physicians, Dr. Hammond, was an attending at Northwestern Memorial Hospital. In support of plaintiffs' motion for a temporary restraining order, Dr. Hammond asserted that he performed PBABA-banned abortions on women with a variety of medical conditions for the protection of their health.
The government served Dr. Hammond with a demand to identify the relevant patient medical record numbers for the 'medically necessary abortion procedures' allegedly performed by Dr. Hammond and to produce the medical records concerning those patients. The court wrote that the government's demand was designed to obtain impeachment material against Dr. Hammond.
Dr. Hammond responded to the government's demand by asserting that he did not possess or control the records requested. The government then served Northwestern Memorial Hospital ('Northwestern') with a subpoena under Federal Rule of Civil Procedure 45. The subpoena was accompanied by an order signed by the district court judge sitting in New York who presided over the action. The order authorized Northwestern to disclose the records, and the government agreed to accept records that redacted any identifying information.
Northwestern moved to quash the subpoena on grounds that the records were privileged under HIPAA and Illinois law. The court held that the subpoena complied with HIPAA because a court order authorizing disclosure was attached.43 However, the court recognized that 'a contrary state health information privacy law will not be preempted by a HIPAA regulation if the state law is 'more stringent'' than the HIPAA regulation.44 The court held that Illinois statutory law did not permit disclosure of the records, even if the identifying information was redacted. The court therefore granted Northwestern's motion to quash.
In A Helping Hand, LLC v. Baltimore County, Maryland,45 the plaintiff, 'A Helping Hand,' alleged that the defendant violated the Americans with Disabilities Act and the Due Process Clause of the Fourteenth Amendment. Arguing that the defendants improperly prevented it from locating a methadone treatment clinic in Baltimore County, the plaintiff moved for a protective order to bar defendants from obtaining medical information concerning Helping Hand's patients during discovery. The court considered this information important because whether Helping Hand's patients were 'individuals with disability' under the ADA was a threshold issue in the litigation. If they were not, then plaintiff had no grounds to argue that the defendants interfered with the ADA rights of plaintiff's patients.
Defendants countered that since the issue whether a person was afforded 'disability status' required 'individual assessment,' they were entitled to the information about Helping's Hand's clients. Helping Hand responded that the information was privileged under HIPAA and Maryland's patient-psychotherapist privilege.
The court determined that HIPAA did not prevent disclosure of the information to defendants. The court held that, '[e]ven assuming the patient data is covered by HIPAA, the HIPAA regulations permit discovery of protected health information so long as a court order or agreement of the parties prohibits disclosure of the information outside the litigation and requires return of the information once the proceedings are concluded.'46 The court reasoned that, 'while no such order or agreement is yet in effect, the parties presumably could obtain one.'47
The court also held that the Maryland provision cited by plaintiff did not apply since the lawsuit was governed by federal law under Federal Rule of Evidence 501. Given that the privilege for confidential communications between a patient and a psychotherapist applied under federal law, state law would not apply. And, since Helping Hand had not even asserted the federal privilege, disclosure of the records was warranted.
Notwithstanding its determination regarding the privilege, the court noted that it would be sufficient for purposes of the lawsuit if defendants were to obtain only: (1) Helping Hand's general policies and practices in accepting patients, and (2) the typical characteristics of the patients served by Helping Hand. The court reasoned that the 'general' information about the 'typical patients' served by Helping Hand was sufficient in light of the 'extremely sensitive' nature of the information and because 'association with even a single person meeting the statutory criteria may afford Helping Hand a claim.'48
The issue now dominating this analysis is whether these two cases can be reconciled. The court in both engaged a balancing test by weighing the probative value of the information requested with the privacy concerns at stake. Both courts likewise reasoned that the information requested was extremely sensitive. However, the probative value varied with each determination.
The court in National Abortion Federation stated that a woman's decision to undergo an abortion involves 'issues indisputably of the most sensitive stripe.' The court then balanced this privacy concern against the minimal, ' any probative value,' that the information might have on the case and 'the ready availability of information traditionally used to challenge the veracity of Dr. Hammond's scientific assertions and medical opinions.'49 The court reasoned that, 'when contrasted with the potential loss of privacy that would ensue were these medical records used in a case in which the patient was not a party, the balance of harms resulting from disclosure severely outweighs the loss to the government through non-disclosure.'50 In A Helping Hand, however, the court recognized that the information requested was probative to a 'threshold issue' in the case, i.e., whether the clients of Helping Hand were 'individuals with disability' under the ADA.
A further discrepancy between the cases concerned the issue of HIPAA preemption. The court in A Helping Hand stated that the Maryland privacy provisions did not apply because federal and not state law governed the lawsuit. The court did not analyze whether the Maryland provisions were more stringent than HIPAA. In contrast, the court in National Abortion Federation rested its federal decision on state privacy statutes, despite its determination that a federal physician-patient privilege existed concerning a woman's decision to undergo an abortion. It is at least arguable that each court's decision on the preemption issue was predetermined by the balancing act.
In another relevant decision, the defendant physician in United States v. Sutherland61 was accused of unlawfully distributing and dispensing controlled substances. The government issued subpoenas to a non-party hospital to compel production of the pharmacy records of the defendant's patients. The hospital moved to quash the subpoena on grounds that disclosure of the requested information would subject it to civil liability under state law in West Virginia.
The district court reasoned, however, that as 'this is a federal criminal matter[;] state laws of procedure do not apply,' and 'patients have no expectation of privacy in medical records with regard to federal criminal proceedings because there is no federal physicianpatient privilege.'52 Although compliance with the secretary's regulations was not required at the time the subpoena issued, the district court considered the regulations to be 'persuasive in that they demonstrate a strong federal policy of protection for patient medical records.'53
The court held that the government in this criminal proceeding had a 'compelling interest' in obtaining the prescription records.54 Since the government's subpoena was not accompanied by a court order and was not a grand-jury subpoena, however, the court did not rely on section 164.512(e)(l)(i) or 164.512(f) to justify disclosure of the pharmacy records at issue. Instead, consistent with section 164.512(e)(ii), the court crafted a protective order it considered sufficient to provide 'reasonable assurances' to the hospital that the affected patients would have notice and an opportunity to object to the disclosure of their records.
'[I]n accord with the Standards issued by the secretary,' the court ordered the government to 'provide written notice prior to production of the subpoenaed records to the last known address of each individual whose records are sought under the subpoena.'55 The court also ruled that any 'notice must inform the individual that he or she may object to the disclosure within five business days' and that 'all objections by the government or by affected individuals' would be resolved prior to the start of trial.56
The case of Hutton v. City of Martinez57 is likewise relevant. The plaintiff there alleged that his civil rights were violated when an out-of-shape police officer shot him in the back because the officer was incapable of pursuing the plaintiff on foot. The police officer was named as a defendant. Plaintiff served various discovery demands seeking information about the officer's physical condition on the day of the alleged shooting. The officer's worker's compensation carrier, however, declined to produce any medical records concerning the officer's work-related back injury. (Apparently, the defendant-officer raised no objection to the production of these records for the purposes of this litigation). The plaintiff also subpoenaed for deposition the claims person who handled the officer's worker's compensation claim regarding the back injury. When the claims person was produced for the deposition, however, her attorney instructed her not to answer any questions regarding the officer's worker's compensation file on grounds that such testimony was not permitted under HIPAA.
The court held that HIPAA did not preclude the production of the records requested in the case at issue because, consistent with section 164.512(e)(iv), the parties agreed to a protective order that would adequately safeguard the defendant officer's privacy interests. Although the court's decision did not state the terms of the protective order, the order presumably required that the information be used only within the pending litigation and that the material be returned to the covered entity or destroyed at the end of the litigation, in keeping with the spirit of 45 CFR section 164.512(e)(v).
In Lemieux v. Tandem Health Care of Florida, Inc.58 the plaintiff was involved in a car accident and was hospitalized at Lakeland Regional Medical Center (hereinafter 'Lakeland'). A non-party, Dr. Greenberg, treated him at that site. The patient later was transferred to Arbors, an in-patient rehabilitation facility and a named defendant in the case. While at Arbors, the plaintiff was treated by non-party Dr. Fielding. The plaintiff also received treatment at Arbors from non-party Dr. GoIl, the physician who eventually discharged him from Arbors. Drs. GoIl, Greenberg, and Fielding were not employees or agents of Arbors.
The plaintiff sued Arbors for negligent hiring and retention, and 'for various violations of Chapter 400 of the Florida statutes.'59 During discovery proceedings, the plaintiff filed a motion seeking court approval to conduct ex-parte discussions with the aforementioned physicians. Florida's physician-patient privilege, grounded in statutory law,60 authorizes disclosure of a patient's medical records under four circumstances: (1) to other health care providers involved in the care and treatment of the patient; (2) if permitted by written authorization from the patient; (3) if compelled by subpoena; and (4) to attorneys, experts, and other individuals necessary to defend the physician in a medical negligence action in which the physician is or expects to be a defendant.61
Under the Florida statute, the court determined that Drs. GoIl, Fielding, and Greenberg could not engage in an ex parte discussion with Arbors' attorneys since the physicians were not employees of Arbors and were not currently treating the patient. Furthermore, the disclosure was not made from one health care provider to another; instead, it was made from one health care provider to the attorney of another health care provider. The court also noted that nothing prevented Arbors from serving the treating physicians with a subpoena to appear for a deposition.
In a footnote, the court wrote that HIPAA did not preempt Florida's statutory physician-patient privilege even though the Florida statute did not require that the entity disclosing medical information provide written notice to the patient that the patient could object to the disclosure. The court reasoned that the Florida statute, although 'proceduralIy' less strict, was 'substantively' more strict than the Privacy Rules because 45 CFR section 164.512(e)(1)(ii) requires only that a covered entity receive 'satisfactory assurance' that the patient who is the subject of the protected health information has been given notice of the intended disclosure. Under the Florida statute, however, disclosure based on notice alone was not permitted.
The court in United States ex rel. Mary Jane Stewart v. Louisiana Clinic62 addressed similar issues. The plaintiffs in that case brought a qui tarn action alleging that the defendant-physicians and medical clinic defrauded the federal government by presenting false claims for reimbursement of medical services provided to Medicare and Medicaid participants. The plaintiff requested various medical records concerning non-party patients. The defendant Dr. Flood moved for a protective order, asserting that the medical records would result in civil liability to the non-party patients under Louisiana state law if produced with patient identifying information.
In that regard, a Louisiana statute provided that disclosure of medical records was authorized only 'after a contradictory hearing with the patient... and after a finding by the court that the release of the requested information is proper.'63 The court held that the Louisiana statute did not apply, however, because the action was commenced under the authority of a federal statute, giving rise to exclusive federal question jurisdiction. It was also preempted by HIPAA. The court reasoned that since the Louisiana statute permitted disclosure under the given facts without the patient's consent, it did not adequately address the 'form, substance, or the need for express legal permission from an individual, who is the subject of the individually identifiable health information,' as required by 45 CFR Section 160.202(4).64
Nevertheless, the court held that disclosure of the medical information at issue was permitted under 45 CFR Section 164.512(e). It observed that since the plaintiffs and defendants 'have complied with the HIPAA regulations at issue by seeking an appropriate protective order and that the court has authority to order disclosure of nonparty patient information, subject to such a protective order, without conducting a contradictory hearing or having the parties obtain the patients' consent,' disclosure was warranted.65
The court therefore crafted a protective order that required a 'twofold' production of the records. First, the defendants were required to provide a set of 'unredacted' documents to plaintiffs' counsel. The court reasoned that the plaintiffs 'must be allowed to see the patient names so that they can investigate the validity of the claims for services rendered to those patients.'66 second, a set of 'redacted' records were to be provided and were permitted to be used by any party for any pretrial purpose.
The court order also provided that 'no more than two paralegals employed by counsel of record and one expert per party retained in connection with this litigation' should review those records.67 Further, '[a]ll persons to whom such information is disclosed must sign an affidavit that must be filed into the record, agreeing to the terms of the protective order and submitting to the jurisdiction of this Court for enforcement of those terms.'68 Finally, the court ordered that the scope of health information disclosure was restricted only to the litigation at hand.
In Horn v. Hernandez,69 the plaintiff commenced an action in New York State Supreme Court to recover damages arising from two motor vehicle accidents. The plaintiff alleged in the bill of particulars that she became 'sick, sore, lame and disabled . . . and suffers great physical and mental pains.'70 One of the defendants requested that the plaintiff provide an authorization for her psychiatric records. In response, the plaintiff moved for a protective order, claiming that the court was without authority to compel production of the authorizations because of HIPAA preemption.
The court rejected plaintiff's argument that it was without jurisdiction to require the release of her psychiatric records. It stated that the Privacy Rules specifically permitted the court to compel production of the authorization under section 164.512(e)(l)(i). The court reasoned that HIPAA does not impede 'the authority of this court to order a party in action before it to disclose medical, dental or other health information and/or records to adversarial parties by directing the party whose physical, emotional and/or mental condition is in controversy to execute authorizations permitting the release of health information deemed conditionally protected under the general provisions of HIPAA and its regulatory framework.'71 The court held that since the plaintiff had placed her mental and emotional condition in controversy in the lawsuit, she waived her psychiatrist-patient privilege. Consequently, it ordered production of an authorization for the release of those records.
The case of Lewis v. Clement72 involved the dissolution of a dental partnership. The issue before the New York State Supreme Court was whether the plaintiff, who was one of the group's partners, was entitled to the patient records of the other members of the dental practice. The defendants asserted that the plaintiff was only entitled to the records of those patients that he actually treated while a partner with the group. In its decision, the court recognized the New York common law principle that a former partner is only entitled to the records of patients with whom a patient-physician relationship was created during the existence of the partnership.
The defendants, however, also argued that under HIPAA they were not permitted to share any files with the plaintiff. The court ruled that since the 'parties herein do not dispute that [the group] transmitted health information in electronic form,' the partnership group was a 'covered entity' under HIPAA.73 The court held that the records relating to plaintiff's patients required disclosure to the plaintiff since 'HIPAA cannot be used as a sword or shield in disputes between partners as it relates to the sharing of patient records.'74 The court continued, noting that if 'the physician (the covered entity) has a relationship with a patient, the remaining partners may not refuse to provide files by virtue of HIPAA,' as long as there was a physician-patient relationship.75
IV.
ANALYSIS
As of this writing, the date by which 'covered entities' were required to comply with the HIPAA Privacy Rules is eight months passed. This article has discussed each of the reported decisions addressing the impact of the Privacy Rules on the discovery of health information during litigation. Of course, these decisions are few. However, the practical effects of the Privacy Rules already have impacted litigation practice.
The HIPAA regulations have changed the way that defense firms gather medical records, protect those records once gathered, send records to experts and others for review, and ultimately dispose of those records. In those jurisdictions where ex parte communications with treating physicians were permitted, that practice must be re-examined in light of HIPAA regulations.
Another area of potential concern for covered entities and their business associates is civil tort liability for impermissible disclosure of identifiable health information. As discussed above, the Privacy Rules expressly state that no federal private right of action has been created. The question whether a state law cause of action exists will depend, of course, on each individual state. One commentator acknowledges the potential for such an action, since the HIPAA Privacy Rules create duties of care with respect to health information.76 To date, however, there are no reported cases in this regard.
As demonstrated by the holdings in Sutherland and Louisiana Clinic, some federal courts have interpreted HIPAA as creating a 'pseudo' federal statutory physician-patient privilege. The HIPAA Privacy Rules only restrict the disclosure of health information by 'covered entities.' In both cases, the courts determined that the health information at issue was relevant and material. However, instead of simply ordering the covered entity to disclose the health information, which would have addressed the concerns of the 'covered entities' under section 164.512(e)(1), the courts used the Privacy Rules as a guideline to impose conditions on disclosure in order to protect the privacy of non-parties.
One important question left unanswered by the decision in United States of America v. Sutherland is the following: What grounds, if asserted by a non-party, would be sufficient to deny a party to a litigation access to health information of a non-party that is otherwise material and relevant? Although this question remains open, the potential clearly exists for significant litigation delays based on this court's interpretation of HIPAA. The court ordered that, insofar as a non-party objects to the disclosure of his or her health information, a pre-trial hearing must 'resolve' the issue. Depending on the number of non-parties objecting to the disclosure of their health information, the burden of such additional litigation could be significant. In contrast, the court in Louisiana Clinic did not allow for the possibility of several pre-trial 'hearings' to determine whether non-parties' heath information is discoverable. That court, however, crafted a 'two-fold' protective order and limited access of these records to two paralegals and one expert within each party's law firm. The question that remains affecting this limitation is what relief will be available if a further expert is needed. One surmises that at least they will be required to show cause why additional disclosure of the health information is necessary.
These issues, however, do not appear to surface when the health information involves a party. As demonstrated by the Hutton and Horn decisions, a litigant will not be permitted to use HIPAA as a means to deny access to material health information to an adversary. As demonstrated in Hutton, however, a litigant must be required at a minimum to obtain an authorization or seek a 'qualified protective order' before obtaining health information from a non-party 'covered entity.'
Although published decisions concerning application of the Privacy Rules during litigation are few in number, it is clear that the Privacy Rules must be addressed by litigants whenever the potential exists to discover health information for the prosecution or defense of their cases. For this reason, it is important for all practitioners to become reasonably acquainted with the Privacy Rules and understand their potential impact. Further, insofar as covered entities are potentially exposed to statutory penalties under HIPAA and state tort claims, covered entities should ensure that their legal departments remain abreast of the Privacy Rules and corresponding case law.
Until the HIPAA Privacy Rules are addressed with greater frequency by appellate courts, some degree of uncertainty for litigants and non-party 'covered entities' will continue. Issues regarding when or under what conditions identifiable health information must be properly disclosed under the Privacy Rules will predominate.
[Author Affiliation]
Michael D. Shalhoub is a partner in the New York office of Heidell Pittoni Murphy & Bach, LLP. He is a trial lawyer whose practice concentrates in the defense of business, professional and insurance interests brought into litigation over products liability, medical and professional liability, employment discrimination and commercial disputes. Active in the courtroom, Mr. Shalhoub has resolved over eighty cases at the trial stage, including favorable jury verdicts, in products liability, medical malpractice, employment discrimination, coverage, construction accidents and general liability. He is active in the FDCC and DRI, and is currently the Chair of DRI's Medical Liability and Health Care Law Committee.
[Author Affiliation]
Anthony M. Maragno is an associate in the New York office of Heidell Pittoni Murphy & Bach, LLP. His practice concentrates on medical malpractice defense, commercial litigation, employment discrimination, and contracts. Mr. Maragno is a former prosecutor for the Suffolk County District Attorney's Office.
