HIPAA Spring Check-up: Your Obligations to Safeguard Third-Party Patient Health Information in medical records produced in litigation
You’ve had your apple a day, but you can’t keep the subpoenas away…
And, if your organization is facing a request seeking records or other materials that may contain patient health information (“PHI”), it bears repeating that while HIPAA provides a number of methods through which covered entities that hold records containing PHI may produce such records, these guidelines are closely enforced by courts. Read on for your spring check-up.
By way of reminder, consent of the subject of the PHI is not a prerequisite to its production under HIPAA and the statute offers three litigation-related alternatives to obtaining consent from the subject of the implicated records. Specifically, 45 C.F.R. § 164.512(e) permits a covered entity to disclose PHI in the course of any judicial or administrative proceeding where:
- the party seeking the PHI obtains a court order governing the production of the records;
- the covered entity receives a written statement and documentation from the party seeking the PHI that it provided notice of the ligation to the subject, identified that the subject’s PHI was implicated in the request, gave the subject an opportunity to object, and received no such objection; or
- the party seeking the PHI demonstrates the existence of a court-endorsed protective order that prohibits the parties from using or disclosing the PHI for any purpose other than the underlying litigation and requires the return to the covered entity or destruction of the PHI at the end of the litigation.
However, as the United States District Court for the District of Kansas recently reiterated, even where the disclosure of PHI is permitted or permissible under HIPAA, any PHI should be produced in “de-identified” redacted format unless the subject of the medical records is a party to the lawsuit or the identity of the subject of the medical records is directly relevant to the claims and issues in the underlying case. See Duffy v. Lawrence Mem. Hosp., 2017 U.S. Dist. LEXIS 49583 (D. Kan. Mar. 31, 2017).
In Duffy, a false claims case, the parties had in place a protective order that the Court acknowledged bound the parties to keep the contents of the medical records produced confidential. However, that was not the end of the inquiry with respect to the production of the records that the Plaintiff argued it needed to show the extent to which the Hospital falsified records to obtain higher Medicare and Medicaid payments.
The issue of de-identification arose in association with the Hospital’s motion to modify a previous discovery order compelling it to produce more than 15,000 patient records responsive to the Plaintiff’s document requests. As grounds for the motion, the Hospital represented that responding to the Plaintiff’s requests as contemplated by the Court’s discovery order would take 8,982 working hours and cost $230,000, including redactions that would take ten reviewers fourteen days at a cost of $37,259.50. The Plaintiff argued that there was no need for redaction because the Plaintiff was bound under the terms of the stipulated protective order to keep patient information produced confidential.
While the Plaintiff made a creative argument given the scope of 45 C.F.R. § 164.512(e), she missed the key distinction between medical records specific to one of the parties in the underlying case and those of third parties. Specifically, the Court stated that, while it had “full confidence in the parties’ adherence to the terms of the protective order,” the medical records at issue related to patients who were not parties to the action and whose personal confidential information the Defendant had a legal duty to safeguard. For this reason, the Court directed the Defendant to produce the records only after redacting any PHI.
Doctor's Orders
So the lesson is clear: if your organization maintains vast amounts of records that contain PHI of any kind, be they medical records, clinical trial-related materials, correspondence with governmental agencies or other sensitive materials, even where a protective order is in place, make sure to consider and discuss with counsel redacting any PHI in records to be produced wherever the records involve unrelated third party subjects. Remember, this is true even where records may not contain full names (or names at all), social security numbers, or birth/death dates.
Your HMO (“HIPAA Maintenance and Organization”)
What PHI should covered entities be watchful for, even within materials that are not medical records in the tradition sense, to ensure produced records are de-identified? Be on the lookout for the following:
- Names
- All geographic subdivisions smaller than a state, including street address, city, county, precinct, zip code, and their equivalent geocodes[1]/
- All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older
- Telephone numbers
- Fax numbers
- Electronic mail addresses
- Social security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers and serial numbers, including license plate numbers
- Device identifiers and serial numbers
- Web Universal Resource Locators (URLs)
- Internet Protocol (IP) address numbers
- Biometric identifiers, including finger and voice prints
- Full face photographic images and any comparable images
- Any other unique identifying number, characteristic, or code (including clinical trial numbers)
[1]/ Except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census: (1) the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and (2) the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.