Vol. 78, No. 4, April
The HIPAA Pivacy Rules:
Disclosures of Protected Health Information in Legal Proceedings
The author provides practical information to help attorneys who
represent entities covered by HIPAA and those who litigate matters
involving individuals' health conditions understand the HIPAA Privacy
Rules and when the state rules supersede them.
by Judith A. Langer
he federal Health Insurance Portability and
Accountability Act (HIPAA)1 is an area of
law unfamiliar to many attorneys. Yet it is essential that Wisconsin
attorneys have a working knowledge of HIPAA and its accompanying
Administrative Simplification regulations,2
particularly the HIPAA Privacy Rules.3
Counsel who represent health-care providers,4 health plans,5 or
health-care clearinghouses6 (collectively
called "covered entities"), or who litigate matters involving
individuals' physical or mental health conditions, must have a clear
understanding of the HIPAA Privacy Rules (Privacy Rules). Lawyers who
fail to understand and comply with HIPAA may be subject to judicially
imposed sanctions and other remedial actions.
This article discusses the Privacy Rules' provisions governing a
covered entity's use and disclosure of protected health information in
judicial and administrative proceedings and pursuant to lawful process.
It does not discuss in depth the physician-patient privilege and other
issues of evidence. Attorneys should be aware that even if the
substantive HIPAA privacy provisions are satisfied, evidentiary
privileges may still prevent a covered entity from disclosing protected
Information Subject to HIPAA
The Privacy Rules govern "protected health information" (PHI).8 The definition of PHI is very broad and includes
many different types of information in addition to medical and hospital
records. Medical bills, health insurance claims, applications for health
insurance, and even the fact that a person is a physician's patient or a
health plan enrollee are all considered to be PHI. Types of records
excepted from PHI include education records covered by the Family
Educational Rights and Privacy Act (FERPA),9
employment records held by a covered entity in its role as employer, and
certain other records mentioned in FERPA.10
Attorneys as Business Associates
Organizations, such as outside counsel, that perform duties for a
covered entity involving the use or disclosure of PHI are called
"business associates"11 under HIPAA. The
Privacy Rules require covered entities to impose contractual limitations
on their business associates. Under these business associate agreements,
the business associate may only use12
internally or disclose13 externally PHI in
performing its duties and may not use or disclose PHI in a manner that
violates the Privacy Rules.14 Thus, under
their business associate agreements, attorneys representing health
plans, health-care providers, or health-care clearinghouses have
contractual duties to their clients to comply with the Privacy
Application of Stricter State Privacy Laws - HIPAA Preemption
Key to understanding the Privacy Rules is the concept of HIPAA
preemption, that is, the relationship and interplay between state and
federal privacy laws. The federal Privacy Rules provide for incomplete
preemption of state law. In other words, where a state's privacy law is
contrary to and more stringent15 than the
HIPAA Privacy Rules, state law will apply. Though the Privacy Rules
define several different contexts in which state law is more stringent,
generally a state law will be more stringent where it prohibits a use or
disclosure of PHI that HIPAA would permit, or where it provides the
individual with greater privacy rights than HIPAA affords the
individual. HIPAA preemption therefore presents a difficult analysis for
attorneys attempting to determine which privacy law or regulation
applies in any particular circumstance.
To date, no Wisconsin court has analyzed whether Wisconsin law is
stricter than the Privacy Rules, but courts in other states are
beginning to do so.16 However, a
collaborative workgroup that included many attorneys, the HIPAA
Collaborative of Wisconsin (HIPAA COW), has performed a preemption
analysis on several Wisconsin statutes and regulations, including Wis.
Stat. sections 51.30, 146.50, 146.81, 146.82, and 610.70, and chapter
252, among others.17 These preemption
analyses will be useful to attorneys evaluating whether and to what
extent Wisconsin laws are stricter than the Privacy Rules.
Use and Disclosure of PHI in Legal Process
The Privacy Rules permit attorneys to obtain PHI from covered
entities either with or without the individual's permission. HIPAA
establishes different requirements for each method of obtaining PHI, and
in some situations attorneys will find they are required to take
additional steps when requesting PHI or ensure that requesters take
additional steps before releasing PHI on behalf of a covered entity
Additionally, the U.S. Department of Health and Human Services,
Office of Civil Rights, the agency charged with enforcing the Privacy
Rules,18 recently issued a number of
frequently asked questions to clarify the use and disclosure of PHI in
judicial and administrative proceedings.19
These frequently asked questions, in some situations, soften the effect
of Privacy Rules' strict requirements, and should be read in tandem with
the Privacy Rules.
Disclosure with the individual's permission. When a
person or entity wants to obtain an individual's permission (or
authorization) for the release of PHI, the Privacy Rules require use of
a written authorization form containing specific core and required
elements, detailed in 45 C.F.R. § 164.508(c)(1) and (2). Most
authorization forms used by attorneys probably already include the
HIPAA-required core elements. Attorneys will need to add the following
HIPAA-required elements to their standard release forms: the
individual's right to revoke the authorization and how the individual
may do that; the ability or inability of the covered entity to condition
treatment, payment, enrollment, or eligibility for benefits on the
authorization; and the potential for information disclosed by the
authorization to be redisclosed by the recipient and thus no longer
protected by the Privacy Rules.
One of the instances in which state privacy law may be more stringent
is with respect to authorizations. Consequently, due to HIPAA preemption
rules, more stringent Wisconsin law requires additional elements to be
added to written authorizations used to obtain PHI from Wisconsin
health-care providers and health plans. For example, Wisconsin law
requires that an individual give specific permission for the release of
mental health records and HIV information, and authorizations to request
these types of PHI from health-care providers must include this specific
permission. Also, the effective length of an authorization to obtain PHI
from a health insurer is governed by Wis. Stat. section 610.70(2).
The HIPAA COW Web site also contains sample authorization forms,
specifically tailored to comply with both the Privacy Rules and
Wisconsin law, which many health-care providers and health insurers in
Wisconsin are likely to accept.20 Attorneys
can also consider contacting a hospital before requesting records to
determine whether the hospital requires a particular authorization form.
Difficulties concerning authorization forms may be resolved by
contacting the organization's privacy officer, a person required by
HIPAA to be responsible for privacy-related forms.21
Thus, for example, under Wis. Stat. section 804.10, when counsel
obtains or the court orders patient consent to the release of X-rays or
other medical records or information by health-care practitioners or
facilities, the form of the consent will need to comply with both
HIPAA's authorization requirements and stricter Wisconsin law
Disclosure without the individual's permission. In
situations in which it is not possible or practicable to obtain an
individual's permission to release PHI in the course of judicial or
administrative proceedings, the Privacy Rules permit attorneys to use or
obtain PHI from covered entities in several ways.
Use of PHI in legal process or proceedings. The
Privacy Rules permit a covered entity to use PHI for its treatment,
payment, or health care operations purposes22 without obtaining an individual's
authorization.23 The Office of Civil Rights
has interpreted the Privacy Rules as permitting a covered entity that is
a party to legal proceedings to "use" PHI in the litigation as part of
its "health care operations."24 This
interpretation should be understood to mean that a covered entity can
share the PHI it possesses as a covered entity with the attorney
representing it in a judicial or administrative proceeding, so that the
attorney may furnish legal services and advice to the covered entity.
For example, the Privacy Rules permit a physician who is a defendant in
a medical malpractice action to share a plaintiff patient's PHI in the
physician's possession with the physician's attorney, as part of the
physician's health care operations.
Disclosure of PHI in legal process or proceedings.
Section 512(e) of the Privacy Rules establishes the conditions under
which a covered entity may disclose PHI in the course of judicial or
administrative proceedings. Importantly, it is the covered entity's
compliance duty, not the requesting attorney's legal obligation, to
ensure that the section 512(e) provisions are met before disclosing PHI,
despite one court's contrary interpretation.25 Nevertheless, as a practical matter, attorneys
should familiarize themselves with the section 512(e) requirements to be
able to foresee and forestall any potential objections from covered
entities that are asked to produce PHI.
Significantly, the Office of Civil Rights has taken the position that
the section 512(e) requirements only apply to covered entities that are
not parties to a judicial or administrative proceeding.26 The Office of Civil Rights determined that the
Privacy Rules permit covered entities that are parties to litigation to
disclose PHI in the course of litigation as part of the covered
entities' health care operations. Thus, the section 512(e) procedures
have practical effect only when PHI is requested of a nonparty covered
In brief, section 512(e) permits covered entities to disclose PHI
without the individual's permission in two circumstances. One
circumstance is when the covered entity receives a court order. The
other circumstance is when the covered entity receives a subpoena,
discovery request, or other lawful process unaccompanied by a court
order. In the latter situation, the covered entity may disclose the
requested PHI without the individual's permission, but only if either
notice is given to the individual to whom the PHI pertains, or a
qualified protective order is sought or obtained.27 The Privacy Rules dictate the notice and
qualified protective order requirements.
Notice requirement. A covered entity is permitted
under section 512(e) to disclose PHI in response to a subpoena,
discovery request, or other process unaccompanied by a court order, if
the covered entity receives "satisfactory assurance" of reasonable
efforts to notify the individual who is the subject of the PHI.28 "Satisfactory assurance" means a written
statement and accompanying documentation showing that the requester has
made a good faith attempt to provide written notice to the individual
that his or her PHI will be disclosed.29
The notice must provide sufficient information about the matter, such as
case number, name, and court or tribunal where pending, to allow the
individual to lodge an objection.30 The
assurance must indicate that time for any objections has elapsed or that
the court or tribunal has resolved any objections in favor of permitting
release of the requested PHI.31 If the
subpoena or other request on its face documents all these elements, no
supplemental documentation is required.32
Additionally, the Privacy Rules allow the covered entity itself to
provide notice to the individual to satisfy the notice
Although technically the Privacy Rules permit notice to be given only
to the individual or his or her personal representative34 as defined under HIPAA, the Office of Civil
Rights issued a frequently asked question that apparently recognizes the
ethical principle that attorneys who know that individuals are
represented by legal counsel must only contact the individual's legal
counsel or obtain that counsel's consent to contact the individual
Qualified protective order requirement. The Privacy
Rules also permit a covered entity to disclose PHI in response to a
subpoena, discovery request, or other process unaccompanied by court
order if the covered entity receives satisfactory assurance that the
requester has made reasonable efforts to obtain a qualified protective
order.36 HIPAA defines a qualified
protective order as a court or administrative order, or an order issued
on the parties' stipulation, prohibiting the parties from using or
disclosing the requested PHI for any purpose other than the litigation,
and requiring the PHI either to be returned to the covered entity or
destroyed at the end of the litigation.37
Satisfactory assurance that the requester has made reasonable efforts to
secure a qualified protective order means that the covered entity must
receive from the requester a written statement and accompanying
documentation showing either that the parties to the dispute have agreed
to a qualified protective order and have presented it to the court or
administrative tribunal with jurisdiction over the dispute or that the
party seeking the PHI has requested a qualified protective order from
the court or tribunal.38 The Privacy Rules
also permit the covered entity to obtain a qualified protective
The requirement that PHI subject to a qualified protective order be
returned or destroyed at the end of the litigation may present a
challenge to attorneys. A malpractice carrier may require its insured
attorneys to retain PHI as part of the case files for a certain number
of years, or it may not be entirely clear when the end of the litigation
occurs, due to multiple or repeated collateral appeals. Moreover, an
attorney may have shared the PHI with expert witnesses, and the PHI may
be in evidence and part of the court file, in which case return or
destruction of the PHI may be difficult or impractical.
One alternative to the "return or destruction" requirement that would
likely satisfy the Privacy Rules requirements would be to state in the
qualified protective order that, if the attorney receiving PHI could not
feasibly return or destroy the PHI at the end of litigation, the
attorney would be obligated to protect the confidentiality of the PHI
for so long as the attorney retained the PHI and that the attorney would
limit further uses and disclosures of the PHI to the purposes making the
return or destruction of the PHI infeasible.40 This would ensure that indivi-duals' privacy
rights were respected while recognizing practical limitations of a
strict "return or destruction"requirement.
Also, because section 512(e) establishes the minimum legal
requirements for a covered entity to be legally permitted to disclose
PHI, attorneys should be aware that health plans and health-care
providers may have adopted privacy policies that require more safeguards
than HIPAA requires before disclosing PHI. For example, before
disclosing PHI, a health-care provider may require an attorney who
requests PHI to prove that a qualified protective order has actually
been entered, as opposed to merely stating that "reasonable efforts"
were made to obtain it. Moreover, a health plan may require that the
satisfactory assurance of notice be made by affidavit, as opposed to the
mere written statement referred to in section 512(e).
Tips for Attorneys
In nonlitigation context or before litigation
commences. The section 512(e) procedures will have little
practical application before a judicial or administrative proceeding is
commenced. Both the notice and the qualified protective order
requirements in section 512(e) by their terms assume that a court will
be available to issue the order or resolve objections. Therefore,
obtaining PHI before commencing a legal proceeding will usually require
the individual's authorization or a court order, if one can be obtained
under the circumstances.
When seeking PHI by means of authorization, attorneys must understand
that under the Privacy Rules, covered entities are permitted, not
required, to disclose PHI in response to a valid authorization.41 Any difficulties over whether the attorney's
authorization is or is not HIPAA-compliant may usually be resolved by
using the covered entity's own authorization form or by contacting its
privacy officer. A truly recalcitrant covered entity can, under the
Privacy Rules, be made to disclose a patient's PHI by means of the
patient making a HIPAA request for access to PHI,42 assuming there are no valid legal grounds for
the covered entity to deny the patient's access request. However, making
an access request under HIPAA should be a last resort, due to the
lengthy timeframe available to the covered entity to evaluate the
request and potential additional costs involved.
After litigation or proceeding commences. As noted
above, the Office of Civil Rights limited application of the section
512(e) requirements to covered entities that are not parties to a
judicial or administrative proceeding. Under the Office of Civil Rights'
interpretation, for example, a defense attorney representing a physician
who requests PHI from a codefendant physician in a medical malpractice
action would not have to obtain a qualified protective order or provide
notice to the plaintiff under HIPAA when serving interrogatories seeking
PHI on codefendant's counsel. HIPAA would permit the codefendant
physician to disclose the PHI in response to the interrogatories, as a
part of the physician's health care operations.
Depending on the situation, it may not be necessary under Wisconsin
law for attorneys to satisfy the section 512(e) satisfactory assurance
notice requirements when they request PHI from a nonparty covered
entity. For example, Wis. Stat. section 804.10(2) states that in a
personal injury case the court shall order the plaintiff to execute an
authorization permitting the defendant to inspect and copy any hospital
or medical records within the scope of discovery. When a patient's
authorization has been obtained, it is not necessary to also give
satisfactory assurance under section 512(e).
As a practical matter, in cases in which PHI will clearly be at issue
and in which attorneys may need to subpoena PHI from nonparty covered
entities, it is probably easiest at the outset of the case to either
stipulate with opposing counsel or ask the court to issue a qualified
protective order applying to any PHI that either attorney may subpoena
for the case.
If an attorney chooses to provide notice of the subpoena to the
individual whose PHI is being requested, the attorney should consider
using a 10-day notice period for objections to be heard and resolved.
Although section 512(e) does not specify any particular timeframe for
the individual to raise objections, it would be reasonable in a state
court proceeding to use a 10-day notice provision similar to that in
Wis. Stat. section 805.07(2)(b).
Sanctions Against Attorneys
Wisconsin attorneys should be aware that courts in several
jurisdictions have considered, and in one case actually imposed,
sanctions on attorneys for failing to comply with the Privacy
Rules.43 Though neither HIPAA nor the
Privacy Rules contain civil sanctions expressly applicable to attorneys,
one California court relied on HIPAA's range of civil administrative
fines as guidance in sanctioning defense counsel for failure to follow
section 512(e) when communicating with the plaintiff's treating
The HIPAA Privacy Rules add another layer of complexity to existing
process and procedures for obtaining and using protected health
information in the course of legal proceedings. Attorneys will need to
carefully consider the effect of HIPAA's substantive privacy regulations
on their requests for protected health information from health-care
providers, health plans, and health-care clearinghouses.
Judith A. Langer,
Marquette 1985, is senior counsel in the corporate legal department of
WellPoint Inc., focusing on privacy, information security, and
regulatory issues. Before the September 2003 merger of Cobalt Corp. with
WellPoint, Langer served as Cobalt's privacy official.
The author thanks attorney Kathy Nusslock for her contributions to
1Pub. L. No. 104-191, 42 U.S.C.
§ 1320d-1, et seq.
2The Administrative Simplification
regulations include the Privacy Rules, the Security Rules, and the
Transaction and Code Set Rules (45 C.F.R. parts 160, 162, 164).
3The HIPAA Privacy Rules are
codified at 45 C.F.R. parts 160 and 164.
4Health-care providers governed by
the HIPAA rules are those who transmit electronically the HIPAA standard
transactions. See 45 C.F.R. § 160.103(3) (definition of
545 C.F.R. § 160.103
(definition of "health plan").
6Id. (definition of
7See Northwestern Mem'l Hosp.
v. Ashcroft, 362 F.3d 923, 925-26 (7th Cir. 2004) (Posner, J.)
(drawing distinction between procedural authority granted by Privacy
Rules to obtain medical records and admissibility or privileged nature
of those records).
845 C.F.R. § 160.103
(definition of "protected health information").
920 U.S.C. § 1232g.
1020 U.S.C. §
1145 C.F.R. §160.103
(definition of "business associate").
12Id. (definition of
13Id. (definition of
1445 C.F.R. § 164.504(e).
Effective April 21, 2005, the HIPAA Security Rules impose additional
duties on business associates to safeguard electronic PHI, as set forth
in 45 C.F.R. §§ 164.308(b) and 164.314(a).
1545 C.F.R. § 160.202.
16A partial list of cases in
which courts have performed HIPAA preemption analyses includes:
Crenshaw v. MONY Life Ins. Co., 318 F. Supp. 2d 1015 (S.D. Cal.
2004); National Abortion Fed'n v. Ashcroft, 2004 WL 292079
(N.D. Ill. 2004), rev'd sub nom. Northwestern Mem'l Hosp. v.
Ashcroft, 362 F.3d 923 (7th Cir. 2004); Bayne v. Provost,
2005 WL 469360 (N.D.N.Y. 2005); National Abortion Fed'n v.
Ashcroft, 2004 WL 555701 (S.D.N.Y. 2004); Law v.
Zuckerman, 307 F. Supp. 2d 705 (D. Md. 2004); Lemieux v. Tandem
Health Care of Florida Inc., 862 So. 2d 745 (Fla. Dist. Ct. App.
2003); Smith v. American Home Prods. Corp. Wyeth-Ayerst Pharm.,
855 A.2d 608 (N.J. Super. Ct. Law Div. 2003); Keshecki v. St.
Vincent's Med. Ctr., 785 N.Y.S.2d 300 (N.Y. Sup. Ct. 2004);
State ex rel. Cincinnati Enquirer v. Adcock, 2004 WL 3015324
(Ohio Ct. App. 2004); Hawes v. Golden, 2004 WL 2244448 (Ohio
Ct. App. 2004).
17The HIPAA COW preemption charts
can be found at http://hipaacow.org/home/PrivacyDocs.aspx
(last accessed Feb. 28, 2005).
18See 65 Fed. Reg.
82,381 (Dec. 28, 2000).
19These frequently asked
questions, or FAQs, are found at http://hipaacow.org/Docs/PrivacyGrid/WI%20%20HIPAA%20Authorization%202-20-03.doc
(last accessed Feb. 28, 2005).
2145 C.F.R. §
2245 C.F.R. § 164.500.
23See 45 C.F.R.
§§ 164.502(a)(1)(ii), .506(c)(1).
24Answer ID 705 of the FAQs at www.hhs.gov/ocr/hipaa.
25Crenshaw, 318 F. Supp.
2d at 1029.
26Answer ID 704 of the FAQs at www.hhs.gov/ocr/hipaa.
2745 C.F.R. §
164.512(e)(1)(i), (ii)(A), (B).
2845 C.F.R. §
2945 C.F.R. §
3045 C.F.R. §
3145 C.F.R. §
32Answer IDs 706 and 708 of the
FAQs at www.hhs.gov/ocr/hipaa.
3345 C.F.R. §
3445 C.F.R. §
35See Answer ID 707,
found at www.hhs.gov/ocr/hipaa. See
also SCR 20:4.2.
3645 C.F.R. §
3745 C.F.R. §
3845 C.F.R. §
3945 C.F.R. §
40Compare similar provisions in
45 C.F.R. § 164.504(e)(2)(ii)(I), in the context of business
4145 C.F.R. §
42See 45 C.F.R. §
43See Law, 307 F. Supp.
2d at 712-13 (sanctions contemplated but rejected, because court
initially held that HIPAA was inapplicable); Crenshaw, 318 F.
Supp. 2d at 1030 (sanctions imposed on defense counsel who had ex parte
contact with one of plaintiff's treating physicians).
44Crenshaw, 318 F. Supp.
2d at 1029-30.