Vol. 76, No. 8, August
2003
Attorney Access To and Use of
Medical Records
Now that health care providers are in
compliance with the HIPAA privacy rule, attorney attention has shifted
to how the federal rule and Wisconsin laws affect them in their own law
practices. This article assists attorneys in all practice areas in
negotiating the hazards of state and federal medical privacy laws, and
includes helpful charts.
by Elizabeth C. Stone
n the years leading up to the April 14, 2003,
deadline for compliance with the federal privacy regulations enacted
pursuant to the Health Insurance Portability and Accountability Act of
1996 (HIPAA), attorneys representing health care providers and other
HIPAA "covered entities" focused their attention on assisting their
clients in achieving compliance with the regulations. Now that entities
covered by the HIPAA privacy regulations (the "Privacy Rule" or "Rule")
are, presumably, operating in compliance with the Rule, those same
attorneys - and others who do not represent but do interact with covered
entities - will likely be compelled to shift their focus to the ways in
which the Privacy Rule may indirectly affect them.1
Because the Privacy Rule limits the extent to and the manner in which
covered entities such as health care providers are permitted to share
information with third parties, it will necessarily affect those parties
who need to obtain access to information in the hands of those covered
entities. Attorneys who represent health care providers, and attorneys
who need medical records or other patient information in the course of
litigation or other legal matters, will be indirectly affected by the
Privacy Rule.
Yet the analysis for attorneys in Wisconsin does not begin and end
with the Privacy Rule. Interestingly, existing Wisconsin medical records
confidentiality laws are in many ways more restrictive than the Privacy
Rule when it comes to attorney access to medical records and in most
cases will continue in effect alongside the new federal rules.
The bottom line is that all Wisconsin attorneys, even those
practicing outside the realm of health law, should have a basic
understanding of how the Privacy Rule interacts with state law and the
net effects of that interaction on their access to medical records.
Attorneys and the HIPAA Privacy Rule
Attorney Access to Health Information Under the Privacy
Rule. The Privacy Rule applies directly to three distinct
categories of "covered entities," the most important category for
purposes of this article being the covered health care provider.2 A health care provider is subject to the Privacy
Rule if it conducts specified types of financial and administrative
transactions, such as submitting insurance claims, via electronic
means.3 Most hospitals and physician
practices, and many nursing homes and other health care facilities, are
covered under the Privacy Rule.
The basic purpose of the Privacy Rule is to safeguard the
confidentiality of "protected health information" (PHI) in the hands of
covered entities. PHI is information in any form or medium - paper,
oral, electronic - that relates to an individual's health care and that
either directly identifies or can be used to identify the subject
individual.4 For health care providers, all
identifiable patient information collected or created in the course of
treating patients constitutes PHI.
The backbone of the Privacy Rule's confidentiality protections is its
limitation on the manner in which covered entities are permitted to use
and disclose PHI. A "use" under the Rule is the sharing or employment of
PHI within a covered entity; a "disclosure," on the other hand, is the
sharing of PHI outside a covered entity.5
Generally, a covered entity may not use or disclose PHI without first
obtaining the subject individual's written consent, known as
"authorization."6
There are, however, several exceptions to the authorization rule, a
few of which prove beneficial to attorneys seeking access to medical
information. First, the Rule makes clear that "[c]onducting or arranging
for ... legal services" falls within the range of business and
management functions of a covered entity known as "health care
operations." Covered entities are permitted to use and disclose PHI
without authorization when engaged in such functions.7 In other words, the Privacy Rule generally permits
providers, without authorization, to use PHI, and to disclose it to
their attorneys, in order to obtain legal advice and
representation. Thus, attorneys representing providers are permitted
under the Rule to access their clients' PHI without obtaining
authorization. Attorneys seeking records from nonclient providers,
however, are not eligible for this exception and thus ordinarily will be
required to obtain patient authorization prior to accessing those
records.
|
Privacy Rule Plus State Law Effects on
|
Outside Counsel Access to and Use and Disclosure of
Client's PHCR
|
Method of Accessing PHCR |
Use |
Disclosure |
Authorization |
Use permitted, subject to business associate obligations |
Disclosure permitted, subject to business associate obligations
|
Court order
|
Use permitted, subject to business associate obligations and any
limitations in court order |
Disclosure permitted only if court order explicitly authorizes;
disclosures are subject to business associate obligations |
Deidentification |
Use permitted |
Disclosure prohibited |
Second, when records are sought in the course of judicial or
administrative proceedings, the Rule permits providers to disclose PHI
to their own and other attorneys, without authorization, in response to:
1) a court or administrative order; or 2) subject to certain conditions,
a subpoena, discovery request, or "other lawful process."8 Third, providers are permitted to share with
attorneys, without authorization, any information that has been properly
"de-identified," that is, purged of some 18 specified elements of
identifying information such that the identity of the subject individual
is indiscernible.9
The Business Associate Rule. Under the Privacy Rule,
attorneys are classified as "business associates" of their covered
entity clients.10 Providers and other
covered entities are required, with each of their business associates,
to enter into a contract containing specific provisions regarding the
permitted uses the business associate may make, and the manner in which
the business associate must protect the confidentiality, of any PHI it
receives for or on behalf of the provider.11 Importantly, the business associate rule
operates whether or not the business associate is performing functions
that would require an authorization prior to the provider's disclosure
of PHI to the business associate. Thus, for example, even though
obtaining legal services is a health care operation that does not
require the provider to obtain authorization prior to disclosing PHI
therefor, a covered provider nonetheless must enter into a business
associate contract with its outside counsel.
Fortunately for law firms and attorneys who serve covered health care
providers, these business associate contracts should not fundamentally
change the manner in which they handle PHI received from or on behalf of
their clients. In general, business associate contracts must prohibit
the business associate from using or disclosing PHI in a manner that
would violate the Privacy Rule if done by the covered entity; thus, if
the Rule would require the provider to obtain authorization prior to
using PHI for a certain purpose, then the business associate is likewise
required to obtain authorization to use PHI for that purpose. In the
case of attorneys, however, because legal representation is a health
care operation, most uses and disclosures of PHI made by attorneys in
the course of representing their health care clients will not require
authorization under the Privacy Rule.
Nonetheless, business associate contracts will impose some new
obligations on attorneys with respect to PHI received from or on behalf
of their provider clients. Business associate contracts will generally
prohibit attorneys from using or disclosing PHI for purposes other than
legal representation and require them to: 1) use "appropriate
safeguards" to prevent prohibited uses and disclosures; 2) report
unauthorized uses and disclosures to the provider client; 3) ensure that
any agents or subcontractors to whom PHI is provided agree to the same
restrictions and conditions that apply to the business associate with
respect to that information; 4) make certain PHI available for
inspection and potential amendment by the patient who is the subject of
the information; 5) track certain of their disclosures of PHI in the
event the patient ever seeks an accounting thereof; 6) open their books
and records in the event of a HIPAA audit; and 7) return or destroy all
PHI once the attorney-client relationship terminates.12 The contract will also authorize the provider
client to fire the attorney if the- attorney commits a "material breach"
of the contract.13
In summary, the Privacy Rule generally affords attorneys broad access
to PHI in the hands of their provider clients without the need for
authorization. Those attorneys, however, are in turn limited and
conditioned in their use and disclosure of that information by the
business associate contract. On the other hand, attorneys seeking access
to records in the hands of nonclients are not subject to business
associate requirements but, with only limited exceptions, must obtain
authorization in order to access the information in the first place.
Comparing the Privacy Rule to Wisconsin's Patient Records
Statute
Wisconsin has enacted its own patient records statute to protect the
confidentiality of medical records.14
Section 146.82 protects the confidentiality of "patient health care
records" (PHCR), which are defined as all records prepared by or under
the supervision of a health care provider that relate to the health of a
patient (excluding mental health and other specific types of medical
records that are protected under other statutes).15 Like the Privacy Rule, section 146.82 applies to
health information in a variety of forms, including paper and electronic
records; however, section 146.82 is narrower than the Privacy Rule in
that it ostensibly applies only to "records" and does not purport to
protect medical information that is not "recorded or preserved" in some
tangible form.16 (Hereinafter, the term
"PHCR" is used to refer to information protected both under state law
and under the Privacy Rule.)
In its applicability, section 146.82 is in some ways narrower and in
some ways broader than the Privacy Rule. In contrast to the three types
of entities covered by the Privacy Rule, only health care providers are
directly subject to section 146.82.17
However, the Wisconsin law, unlike the Privacy Rule, applies to all
health care providers, regardless of whether they engage in electronic
financial and administrative transactions. The net result for health
care providers is that those that are covered entities under HIPAA will
also be subject to state law. Therefore, in sharing PHCR with their
attorneys and others, covered providers must follow both the Privacy
Rule and state law.
The basic mechanism for privacy protection under the state law is
similar to that under the Privacy Rule. Generally, section 146.82
prohibits the release of PHCR without written patient authorization.
(Such authorization is termed "informed consent" in the Wisconsin law;
hereinafter, the term "authorization" is used to mean both Privacy Rule
"authorization" and state law "informed consent.") Unlike the terms
"use" and "disclosure" under the Privacy Rule, the term "release" is not
defined in the Wisconsin law, but the commonly-held assumption is that
the state law regulates only the sharing of information outside the
entity, akin to a HIPAA "disclosure."
Like the Privacy Rule, section 146.82 provides exceptions to the
authorization rule; however, the exceptions applicable to disclosures to
attorneys are narrower than those under the Privacy Rule. Most notably,
in significant contrast to the Privacy Rule, state law does not provide
a blanket exception for health care operations activities. Thus, section
146.82 does not permit a health care provider, without authorization, to
disclose PHCR to outside counsel for purposes of obtaining legal advice
and representation.
There are only two state law exceptions that may apply with respect
to disclosures of PHCR to outside counsel: 1) when a court order has
been obtained; or 2) when the records "do not contain information ...
that would permit the identification of the patient."18 The court order exception is analogous to, but
narrower than, the Privacy Rule's exception for disclosures pursuant to
a court order, subpoena, or other lawful process. With respect to the
deidentification exception, state law is consistent with the Privacy
Rule in permitting disclosures of deidentified information but, unlike
the Rule, provides no specific guidance on how deidentification is to be
achieved.
Though state law contains no analogue to the business associate rule,
it does include a provision that generally prohibits recipients of PHCR
obtained without authorization from "redisclosing" that information,
except as authorized by a court order.19
Thus, under state law, anyone - attorneys included - who obtains PHCR
from a health care provider without authorization (or court order) is
prohibited from disclosing it to others, for any purpose.
Practical Implications for Attorneys' Access to and Use and
Disclosure of PHCR
Under the Privacy Rule, state medical records confidentiality laws
will apply in tandem with the Rule unless the state law is contrary to
the Rule, meaning that it would be impossible to comply with both laws.
If a state law is deemed contrary to the Rule, whichever law is more
stringent will prevail. State law will generally be deemed more
stringent than the Rule if it provides greater restrictions on the
covered entity's use or disclosure of PHI.20 Because Wisconsin law is stricter than the
Privacy Rule in many ways, it often prevails over the Privacy Rule,
yielding interesting effects on attorney access to PCHR.
Attorneys' Access to Provider Clients' Records. As
noted above, the Privacy Rule permits covered health care providers to
disclose PHCR without authorization to their counsel in order to seek
legal advice and representation. State law, however, is not so generous;
it requires that the provider obtain an authorization before disclosing
PHCR even to its own counsel, unless an exception applies. State law,
being contrary to and more stringent than the Privacy Rule, will prevail
on this issue, and, thus, effectively, outside counsel are not permitted
to access their clients' PHCR without the individual patient's
authorization unless an exception recognized under both state law and
the Privacy Rule applies.
Two possible exceptions may apply. While the Privacy Rule would allow
disclosures in administrative/judicial proceedings in response to a
court order, subpoena, or other lawful process, state law allows such
disclosures only in response to court orders, with the net result that
Wisconsin providers are afforded an exception for court orders only. The
other possible exception is for deidentified information, as to which
the Privacy Rule and state law are generally consistent, except that the
Rule is more specific as to what constitutes deidentified information,
with the result that the Privacy Rule definition of deidentification
will prevail. The first column of Figure 1 sets
forth
the three primary options for outside counsel seeking access to their
provider clients' PHCR: 1) authorization; 2) court order; and 3)
deidentification.
Once the attorney has obtained the records under one of these three
options, the Privacy Rule's business associate requirements and the
state law redisclosure prohibition will affect the manner in which the
attorney is permitted to further use and disclose the records. As
illustrated in Figure 1, an attorney who has
obtained
records pursuant to an authorization is limited in his or her use and
disclosure of those records only to the extent of any limitations in the
business associate contract; the state law redisclosure prohibition does
not apply when an authorization has been obtained. In practical effect,
since the business associate contract will generally permit the attorney
to use and disclose PHCR for purposes of providing legal representation,
once the attorney has obtained PHCR pursuant to an authorization, the
attorney may use and disclose PHCR in the legal matter (to cocounsel, in
court papers, to witnesses, for example) without restriction. Note,
however, that the attorney will be required to obtain a business
associate-like contract with any agents or subcontractors (such as
expert witnesses and court reporters) to whom PHCR are disclosed in the
course of the representation.
Figure 1 also depicts the implications of
obtaining PHCR by court order or deidentification. A court order might
be obtained, for example, if a plaintiff in a medical malpractice
lawsuit refused to sign an authorization permitting the disclosure of
the defendant health care provider's PHCR to the provider's attorneys.
The court order might simply direct the plaintiff to sign an
authorization; if so, once the authorization has been obtained, the
attorney is permitted to access the records and to use and disclose them
just as if the authorization had been obtained without a court order. On
the other hand, the court might simply issue an order permitting the
provider to disclose the plaintiff's records to its counsel. In this
scenario, the attorney would be bound in her uses and disclosures of the
records not only by her business associate obligations but also by the
terms of the court order. Further, unless the court order specifically
permitted the attorney to disclose records in the course of the
litigation, the state law redisclosure prohibition would prohibit the
attorney from doing so. Thus, when attorneys are compelled to seek a
court order, they are well advised to seek an order directing the
individual to sign an authorization or, at the very least, to ensure
that the court order permitting the provider to disclose records also
contains sufficient provisions allowing the attorney to further use and
disclose the records in the course of the legal matter.
Finally, there is the deidentification option. Deidentified records
may or may not be of use to an attorney, depending on the circumstances.
When a lawsuit has been filed against the provider and the attorney
needs access to the plaintiff's medical records, deidentification is, of
course, impossible. On the other hand, if a provider is seeking quick
advice from its attorney, for example, on how to handle a problem with a
particular patient, the attorney may not need identifiable records to
make a recommendation. Under the Privacy Rule, information that has been
deidentified is simply not subject to any of the Rule's protections;
thus, deidentified information in the hands of a business associate is
not subject to the protections of the business associate contract.
Therefore, as reflected in Figure 1, when an
attorney
has obtained deidentified records, she is permitted to use those records
without restriction under the Privacy Rule. State law likewise imposes
no restriction on the use. However, the state law redisclosure
prohibition apparently continues to apply, the net result being that
attorneys who obtain deidentified records from their clients are
permitted to use those records but are prohibited under state law from
disclosing them to anyone else.
In-house Counsel's Access to Client Records. Because
state law regulates only external disclosures, it imposes no
restrictions on the provider's sharing of PHCR with its own in-house
counsel. The Privacy Rule does regulate such information sharing as a
"use"; however, because this type of use is considered a health care
operation, the Privacy Rule, like state law, does not require
authorization. In sum, a provider wishing to share PHCR with its
in-house counsel may do so without authorization. Similarly, in-house
attorneys, as employees of the covered entity, may use these PHCR, once
obtained, without authorization under both the Privacy Rule - because
the use is a health care operation - and state law - which does not
regulate internal uses. By contrast, disclosures by in-house counsel -
though permitted without authorization under the Privacy Rule as part of
health care operations - are regulated by state law, and will require
authorization - or a court order or deidentification - to enable the
disclosure. This analysis is illustrated in Figure 2. As employees of
the covered entity, in-house counsel are not subject to business
associate contracts, nor are they considered recipients for purposes of
the state law redisclosure prohibition.21
|
Stone
|
Elizabeth C. Stone, Duke 1997, is an associate in the
Madison office of von Briesen & Roper s.c. in the firm's
Health Care Practice Group. She practices in health care issues, with a
focus on regulatory compliance, including HIPAA. She formerly was an
attorney in the U.W.-Madison Office of Administrative Legal Services,
where she represented the U.W. Medical School, focusing on health care
regulatory compliance and physician risk management.
|
Attorneys' Access to Records of Nonclient Providers.
As depicted in Figure 3, the analysis with respect to attorneys seeking
PHCR from sources other than their own clients is almost identical to
the analysis for outside counsel seeking access to client PHCR, with one
important distinction. An attorney will never enter into a business
associate contract with a nonclient - for the simple reason that no
business associate relationship exists - and thus the attorney who
obtains PHCR from a nonclient will not be bound by any business
associate contract requirements. Thus, ironically, applying the Privacy
Rule in combination with state law, the restrictions on outside
attorneys' ability to further use and disclose PHCR are actually greater
when the attorney obtains information from her own client than when she
obtains records from someone else.
Pointers and Conclusions
As is likely evident from the above discussion, attorneys - with the
exception of in-house counsel - seeking access to PHCR from clients or
others are best served by obtaining the subject individual's
authorization if at all possible. Obtaining authorization is usually
less burdensome than seeking a court order, and the information obtained
thereby will be more useful than deidentified information. In addition,
obtaining authorization will vitiate the state law redisclosure
prohibition and thus provide more latitude to the attorney to use and
further disclose the information.
Figure 2
|
Privacy Rule Plus State Law Effects on
|
In-house Counsel Access to and Use and Disclosure of
Client's PHCR
|
Method of Accessing PHCR |
Use |
Disclosure |
Access permitted without authorization or authorization
substitute
|
Use permitted without authorization or authorization
substitute |
Disclosure permitted only with authorization, court order, or
deidentification
|
Figure 3
|
Privacy Rule Plus State Law Effects on
|
Attorney Access to and Use and Disclosure
of Nonclient's PHCR
|
Authorization |
Use permitted |
Disclosure permitted |
Court order
|
Use permitted, subject to any limitations in court
order |
Disclosure permitted only if court order explicity
authorizes |
Deidentification |
Use permitted |
Disclosure prohibited |
In seeking access to medical information, attorneys should expect
many providers to require the use of the provider's own authorization
form. Virtually all providers covered by the Privacy Rule are likely by
now to have revised their forms (previously known in the vernacular as
"medical release" forms) to incorporate the Privacy Rule's required
elements into their already state law-compliant forms. Because of
providers' anxiety regarding HIPAA compliance, they are likely to reject
an unfamiliar form in favor of their own forms, the HIPAA integrity of
which is not in doubt. Attorneys with long-standing relationships with
provider clients may wish to work with these clients to create a
standard authorization form specific to the attorney or law firm.
Attorneys who will seek to obtain medical records from nonclients and
who will attempt to use their own forms should draft those forms to be
compliant with both the Privacy Rule and all relevant state law.
Given the Privacy Rule's recent inception, it is anyone's guess as to
how strictly it will be enforced. Judging from the dearth of reported
case law, it seems that enforcement of section 146.82 historically has
been relatively lax. Whether such laxity will remain the norm in this
era of heightened federal attention to privacy issues and increased
public awareness about privacy remains to be seen. The upshot is that,
for a variety of reasons, all attorneys should make every effort to
understand the requirements of and comply with their obligations under
both existing Wisconsin law and the new federal Privacy Rule.
Endnotes
145 C.F.R. parts
160 and 164.
2The other two
categories of covered entities are health plans, such as health
insurance companies and HMOs, and health care clearinghouses,
organizations that process and reformat health information for providers
and health plans. 45 C.F.R. §§ 160.102, 164.104.
345 C.F.R.
§§ 160.102, 164.104.
445 C.F.R. §
160.103 (definition of "protected health information"). Note that the
definition of PHI specifically excludes employment records and certain
federally regulated education records.
545 C.F.R. § 164.501
(definitions of "use" and "disclosure").
645 C.F.R. § 164.508(a)(1). A
valid authorization must contain nine specified elements. §
164.508(c).
745 C.F.R. § 164.501
(definition of "health care operations"); §§
164.502(a)(1)(ii), .506.
845 C.F.R. § 164.512(e).
945 C.F.R. §§
164.502(a)(1)(vi), .514(a), (b)(2). There are a few other exceptions
that may apply in specific circumstances, such as in worker's
compensation cases and when disclosures are required under other
applicable laws. § 164.512(a), (l).
1045 C.F.R. § 160.103
(defining "business associate" as one who performs business functions or
activities involving PHI for or on behalf of a covered entity).
1145 C.F.R. §§
164.502(e), .504(e).
1245 C.F.R. §
164.504(e)(2).
1345 C.F.R. §
164.504(e)(2)(iii).
14Wis. Stat. §§
146.81-.84.
15Wis. Stat. §§
146.82(1), .81(4). It should be noted that the conclusions herein may
not apply to records subject to these other state laws, such as section
51.30 (mental health/substance abuse records) and section 252.15
(AIDS/HIV records).
16Wis. Stat. §
146.836.
17Though the statute does not
contain an explicit statement regarding its applicability, it becomes
clear from reading section 146.82 and surrounding sections that its
intent was to regulate providers. See Wis. Stat. §
146.81(4) (defining "patient health care records" as records prepared by
a "health care provider"); § 146.81(2)(c) (envisioning that "health
care providers" will be seeking consent to release records). See also
the use of the term "provider" in section 146.82(2)(a)5., 6., 7., and
11., and (2)(d).
18Wis. Stat. §
146.82(2)(a)4., 20.
19Wis. Stat. §
146.82(2)(b).
20See 45 C.F.R.
§§ 160.203 (preemption rules), .202 (definitions of "contrary"
and "more stringent").
21It should be noted that this
analysis would change if state law were construed to cover internal uses
as well as external disclosures. Under this alternative construction,
in-house counsel would be regulated in exactly the same manner as
outside counsel, and the conclusions reflected in Figure 1 and discussed in the article would
apply equally to in-house as well as to outside counsel.
Wisconsin
Lawyer