Navigating HIPAA to Obtain Medical Records

While HIPAA restrictions do not apply to a lawyer who requests protected health information (PHI) for use in civil litigation or an administrative proceeding, it restricts a covered entity’s ability to produce PHI in response to such requests. Consequently, understanding the requirements will ensure that records can be obtained more easily.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) implemented national standards to protect health information from disclosure without the subject’s knowledge or consent. The regulations implementing these requirements include restrictions on the use, disclosure, transmission, and maintenance of certain health information. The regulations relating to use and disclosure are referred to as the Privacy Rule.

The Privacy Rule – 45 CFR § 164

The HIPAA Privacy Rule only applies to the use and disclosure of protected health information (“PHI”) by a “covered entity” (which includes health plans, health care clearinghouses, and health care providers.

As a general rule, PHI includes information that:

1. Is created or received by a covered entity;

2. Relates to a person’s past, present, or future:

a. Physical or mental health/condition;

b. Health care; or

c. Payment for health care; and

3. Identifies the person or could reasonably be used to identify the individual.

To obtain documents containing PHI from a covered entity, a lawyer must have: (1) an order of a court/administrative tribunal; (2) written authorization from the patient or the patient’s legal representative; or (3) a subpoena/discovery request.

Court/administrative order

Under HIPAA, the simplest method of obtaining medical records is with an order issued by a court or administrative tribunal. A covered entity may immediately produce the information expressly identified in the order, without more.

Written authorization

Many attorneys prefer to draft and use their own authorization (rather than obtain authorizations from each of client’s providers). However, a valid authorization must contain:

1. The patient’s name;
2. The name of the person/entity authorized to make the disclosure;
3. The name of the person (or group) to whom the disclosure may be made;
4. A description of the information to be disclosed;
5. The purpose or use of disclosure (it is sufficient to state “at the request of the individual”); and
6. An expiration date.

The authorization must also notify the patient of the following:

1. The right to revoke the authorization in writing, the exceptions to the right to revoke, and the process for revocation; and
2. The potential for information disclosed pursuant to the authorization to be subject to redisclosure by the recipient and no longer be protected by HIPAA.

Finally, the authorization must be signed by the patient or the patient’s legal representative. If signed by the legal representative, the authorization must identify the basis of the person’s legal authority, and the covered entity may request proof of the authority.

While an authorization may apply to multiple covered entities and/or request multiple types of documents, it cannot be combined with any other document. Additionally, a request for “psychotherapy notes” (45 C.F.R. § 164.501) may not be combined with a request for any other documents.

Subpoena/discovery requests

PHI may also be obtained by subpoena or a discovery request. However, before a covered entity can release the records, the requesting party must provide “satisfactory assurances” that:

1. The patient has been notified or reasonable efforts were made to provide notice; OR
2. Reasonable efforts were made to secure a “qualified protective order.”

“Satisfactory assurances” requires a written statement and supporting documents.

To satisfy the notice provision, an attorney must demonstrate:

1. The requesting party made a good faith attempt to provide written notice to the patient;
2. The notice included sufficient information about the case to permit the patient to object;
3. The time for objection has elapsed; and

a. No objections were filed; or

b. All objections were resolved by the court/administrative tribunal and the disclosures being sought are consistent with such resolution.

Alternatively, a covered entity may produce records upon proof that a “qualified protective order” was issued or sought by the requesting party. A “qualified protective order” prohibits the parties from using or disclosing PHI for any purpose other than the proceeding in which it was requested and requires any party receiving the PHI to return or destroy all copies at the end of the proceeding.

While complying with HIPAA may seem burdensome, the burden can be minimized by ensuring that requests for PHI comply with the requirements of the Privacy Rule.

About the author

Kelly B. Stout, Esq. is an attorney at BaileyKennedy.  She practices primarily in the fields of complex civil litigation, appellate advocacy, healthcare law, and administrative law. She represents parties in disputes involving commercial and corporate law, business torts, healthcare law, professional licenses, professional responsibility, and legal ethics.