Responding to Requests for Information

Kimberly J. RuppelBillee Lightvoet WardDickinson Wright PLLC

REQUESTS FOR PHI

• Requests for protected health information (PHI) can come from a variety of sources:• Patients• Family and friends• Other healthcare providers• Other third parties

• Requests for PHI can come in a variety of forms• Focus on requests through “legal” or “administrative” processes

REQUESTS FOR PHI

• Facts and circumstances dictate HIPAA obligations• HIPAA requires disclosure in response to certain

requests – Individuals – Secretary of the Department of Health and Human

Services (DHHS)• HIPAA permits disclosure in other situations

What Form of Requests Can I Expect?

• Court Order or Grand Jury Subpoena (issued by the Court)• HIPAA recognizes that the legal process for obtaining a court

order and the secrecy of the grand jury process provides protections for the individual’s private information.

• Administrative Request or Civil Investigative Demand (issued by a governmental agency)

What Form Of Requests Can I Expect?

Discovery request from a party to a litigation:• Request for the Production of Documents;• Interrogatories;• Notice for a Deposition;• Subpoena

•These are issued by lawyers without the Court’s involvement.•Before responding, look for a protective order or an authorization form signed by the individual.

Request Scenarios

• Personal injury lawsuit• Malpractice lawsuit• Employment litigation – breach of covenant not to compete• Federal or state agency investigation:

• Consumer protection;• Anti-kickback violations;• Stark violations;• Antitrust violations

• Criminal law enforcement • Public health concerns

DISCLOSURES REQUIRED BY LAW

• A Covered Entity may disclose PHI to the extent required by law if the disclosure complies with and is limited to the requirements of such law

• Additional provisions apply to disclosures:• About victims of abuse, neglect or domestic violence• For judicial and administrative proceedings• For law enforcement purposes

DISCLOSURES FOR JUDICIAL AND ADMINISTRATIVE PROCEEDINGS

• A Covered Entity may disclose PHI expressly authorized by an order of a Court or administrative tribunal

• In response to a subpoena, discovery request or other process not accompanied by a Court order, a Covered Entity may disclose PHI only if:• “Satisfactory assurances”

(a) the individual has been given notice of the request and has not objected or all objections have been resolved to allow for disclosure; or

(b) Reasonable efforts have been made to secure a qualified protective order that (i) prohibits use of the PHI other than for the litigation at issue, and (ii) requires return or destruction of the PHI at the end of the litigation

DISCLOSURES FOR JUDICIAL AND ADMINISTRATIVE PROCEEDINGS

Corrective actions imposed by the DHHS Office for Civil Rights:•What did the hospital do wrong?

• Responded to a subpoena unaccompanied by a court order• Satisfactory Assurances

– Failed to determine that reasonable efforts were made to notify the individual of the request

– Failed to receive satisfactory assurances that reasonable efforts were made to secure a qualified protective order

•What corrective actions were imposed?• Improved staff awareness through training• Revised internal subpoena processing steps

DISCLOSURES FOR LAW ENFORCEMENT PURPOSES

• A CE may disclose PHI to a “law enforcement official” for a “law enforcement purpose”• As required by law• In compliance with and as limited by a grand jury subpoena, Court

order, Court-ordered warrant, or a subpoena or summons issued by a judicial officer; or

• Limited information to identify or locate a suspect, fugitive, material witness or missing person

• Information about an individual suspected to be a victim of a crime• Individual agrees to the disclosure; or• Individual can’t agree due to incapacity or other emergency, but

certain representations are made by official• CE determines that disclosure is in the best interest of the patient

DISCLOSURES FOR LAW ENFORCEMENT PURPOSES

• Information about a decedent to alert law enforcement of the individual’s death if the CE has a suspicion that such death may have resulted from criminal conduct

• Information the CE believes in good faith is evidence of criminal conduct on the CE’s premises

• Information relating to a medical emergency (off-premises) if necessary to alert law enforcement to the commission, nature, location and victim(s) of a crime and the identity, description and location of the perpetrator of the crime.

DISCLOSURES FORHEALTH OVERSIGHT ACTIVITIES

• A CE may disclose PHI to a health oversight agency for “oversight activities” authorized by law• Audits• Civil, administrative or criminal investigations or proceedings• Inspections• Licensure/disciplinary actions

• For oversight of the health care system and other programs, laws and entities where health information is relevant to eligibility or compliance

DISCLOSURES FOR PUBLIC HEALTH ACTIVITIES

• HIPAA permits covered entities to disclose PHI to public health authorities, governmental authorities, and other persons in relation to:• Controlling/preventing disease, injury or disability• Child abuse/neglect reporting• Quality, safety and effectiveness of FDA-regulated

products/activities• Notification of exposure or risk relating to communicable disease• Reporting work-related illness or workplace-related medical

surveillance• Providing proof of student immunization to schools

WHICH LAW APPLIES?

• If a request for information potentially involves PHI, HIPAA must be considered at the forefront

• HIPAA is a “floor” – state privacy laws may offer greater protection• General Rule: HIPAA applies (preemption) unless:

• state law “relates to the privacy of individually identifiable health information” AND

• is more “stringent” than HIPAA• If HIPAA and state law don’t conflict, comply with both

WHICH LAW APPLIES?

Consider provider-patient privilege laws• Applies to physicians, dentists, counselors, optometrists, social

workers• PHI may not be disclosed without authorization except in the

case of a personal injury or malpractice lawsuit by the patient against the provider

Parental access• Michigan law allows parents to access their children’s medical

records in most, but not all, instances

WHEN YOU RECEIVE A REQUEST

Initial Assessment• Evaluate potential sources of responsive information

– Medical Records and EMR– Billing, Scheduling, Administration– Policies/Procedures– Email and other correspondence – Laptops, smart phones or other mobile devices

• Involve appropriate personnel – Privacy/Security Officer or other compliance personnel– Risk Management– Internal and/or External Legal Counsel

WHEN YOU RECEIVE A REQUEST

Preservation Steps •Determine who has “possession, custody or control”• Issue a “legal hold” notice to employees and any third parties who

may have relevant information• Maintain documentation in its original form• Suspend routine document and data destruction• Proactively implement a document retention procedure• Document preservation steps• Involve administrative or technology staff to ensure that electronic

information is not deleted or destroyed

Why Is Preservation Critical?

Legal obligation to preserve potentially relevant evidence

Spoliation of Evidence:• Destruction (inadvertent or intentional) of information that is relevant

to litigation or governmental investigation after you become aware of, or reasonably anticipate, the litigation or investigation

• Penalties:• Monetary damages• Presumption that destroyed information would support the

opposing party’s case

RESPONDING TO A REQUEST FOR INFORMATION

Evaluate the Scope and Burden of the Request•Practical Considerations

• Is the time frame objectionable?• Is the volume of information overly burdensome?• What is the nature of the lawsuit or investigation?• What information is relevant?

RESPONDING TO A REQUEST FOR INFORMATION

• HIPAA Considerations:• Is PHI responsive and, even if not, is it included in

potentially relevant data?• Would de-identified information satisfy the request?• Determine what HIPAA provision(s) apply

• Involve your Privacy and Security Officers• Consult legal counsel as necessary

RESPONDING TO A REQUEST FOR INFORMATION

• Attempt to negotiate with the opposing party to narrow the request:• Timeframe (Federal Court Rules approve limiting to 5 years)• Use of search terms for electronic information• Identify and agree on employees who are the most likely

custodians• De-duplication

• Make reasonable efforts to limit disclosure to minimum necessary• Exception for disclosures to the individual, required by law or

pursuant to authorization

RESPONDING TO A REQUEST FOR INFORMATION

Protective Measures:•Consider obtaining the individual’s authorization even if not required•Court Involvement may be an option (Motion to Quash) or may be required (Qualified Protective Order)

• Ask the Court to shift search costs to the requesting party

WHY IS THIS IMPORTANT?

• Renewed governmental focus• New regulations• Expanded liability – new players• Increased penalties (up to $1.5 Million per violation)• Media attention• Patient sensitivity/awareness

WHY IS THIS IMPORTANT?

Beginning in 2011 – first civil money penalty imposed by OCR: $4.3 million fine for health plan’s denial of access to patient’s own medical records

• Must provide patient a copy of medical records within 30 days and no later than 60 days of the patient’s request

• Probably exacerbated by the health plan’s failure to cooperate with OCR’s investigation

Inadvertent disclosures can be expensive (more next session):

• Stolen unencrypted thumb drive resulted in $150,000 settlement

• Stolen unencrypted laptop resulted in $1.5 million settlement

• Leased photocopier returned without erasing data resulted in $1.2 million settlement

MITIGATING YOUR RISK

• Maintain an updated records management program• Maintain appropriate HIPAA policies and procedures• Carefully select your vendors• Train your workforce• Document everything• Cooperate (reasonably) with OCR and other

governmental authorities• Know your obligations when an inadvertent disclosure

occurs

QUESTIONS?