• No results found

Navigating HIPAA 7 Critical Considerations in Conducting Discovery and


Academic year: 2021

Share "Navigating HIPAA 7 Critical Considerations in Conducting Discovery and"


Full text



Click to edit Master title style


Navigating HIPAA

7 Critical Considerations in

Conducting Discovery and

Responding to Subpoenas

Presented by:

Meggan Bushee, Associate, McGuireWoods LLP Amanda L. Enyeart, Associate, McGuireWoods LLP Nathan A. Kottkamp, Partner, McGuireWoods LLP

Jason D. Stevens, Assistant General Counsel, Novant Health, Inc. April 8, 2014


Introduction: HIPAA Core Elements

• What is HIPAA?

– Health Insurance Portability & Accountability Act of 1996 – Privacy Rule

– Security Rule

– Breach Notification Rule – Enforcement Rule

• What does HIPAA protect?

– Protected Health Information

• Who does HIPAA apply to?


McGuireWoods LLP | 3


1. Judicial Proceedings: Exception to Authorization

• Subpoenas

– State-defined language for notice to providers and/or patients – State-defined timing requirements for patient to object

– HIPAA protections of alcohol and drug abuse patient records

• Qualified Protective Orders

– Agreed by parties, entered by the court

• Court Orders

• Operational Considerations

– Do you really need a subpoena?

– Can you meet the subpoena requirements? – Should you treat all subpoenas the same?

– Is further disclosure necessary and permitted by the relevant order?


2. Patient Authorization for Disclosure of PHI

• Describe the information to be disclosed.

• Who is authorized to disclose?

• Who is authorized to receive?

• Describe the purpose of the disclosure.

• Indicate the expiration date or event.

• Must be signed and dated by patient.

• Must include statement regarding right to revoke, potential for

disclosure by recipient.

• Must be drafted in plain language.


McGuireWoods LLP | 5


3. Considerations if Patient is/is not a Party

• Patient is plaintiff and requests own records

• Patient and provider are both parties

– Patient has placed medical condition in question – waiver

1. Waivers of medical record confidentiality is not expressly noted in HIPAA regulations.

2. Safest course of action: seek a protective order.

– Still may need and can obtain authorization for provider to use records

• Patient is a party, but provider is not • Patient is not a party


4. State Law Considerations

• Physician-patient privilege • Ex parte communications

• State law protections that increase privacy requirements


McGuireWoods LLP | 7


5. Responding to OCR

• Recognize that the OCR investigators have strong knowledge about the Privacy Rule, but are not typically lawyers.

• Strike the right balance between being amicable and protecting your rights.

• Understand that OCR’s approach to a matter will be decided by how serious it perceives the problem.

– Awareness letters (and then close matter) – Response

– Back-and-forth letter campaigns

• There is considerable variability in enforcement


6. Disclosures of Sensitive Information

• HIV/AIDS information

– HIPAA silent but take note of applicable state law

• Mental health records

– Redisclosure limitations

• Psychotherapy notes

– Patient authorization required per 42 C.F.R. 165.508(a)(2)

• Drug and alcohol treatment

– 42 C.F.R. Part 2 – State law


McGuireWoods LLP | 9


7. HIPAA and Workers’ Compensation

• One of the “grand” exceptions to HIPAA

– 45 CFR 164.512(l)

– Disclosure must be authorized by applicable state law

• Heavily nuanced by state law and by decisions related to the claim (i.e., claim denial, discontinuation, etc.)

• Operationally difficult when a physician provides both

occupational medicine and primary or routine care to a patient. • Practical tips



• Know your state statutes and local rules, and follow the more restrictive rule.

• Careful drafting is crucial.

• HIPAA requires minimum necessary disclosure.

• Do not have paralegal sign requests or other subpoena documents.

• Do not allow Business Associates to respond to subpoenas without at least providing notice.

– Ensure your Business Associate Agreement contains appropriate language regarding the process to be followed when they receive a subpoena or Court Order.


McGuireWoods LLP | 11



For more information, contact:

Meggan Bushee McGuireWoods LLP Charlotte mbushee@mcguirewoods.com 704.343.2360

Jason D. Stevens Novant Health, Inc. jdstevens@novanthealth.org


Nathan A. Kottkamp McGuireWoods LLP


nkottkamp@mcguirewoods.com 804.775.1092

Amanda L. Enyeart McGuireWoods LLP


aenyeart@mcguirewoods.com 312.849.8106


Related documents

Regarding CD8 + regulatory T cells, many studies have highlighted the importance of these cells in different clinical conditions such as organ transplantation

Our primary goal was to develop and perform feasibility testing of a novel device capable of delivering valid and reliable dentoalveolar stimuli at dental chair-side and during

proposed subpoena... E) Subpoenas seeking information protected by HIPAA shall include an executed HIPAA authorization prior to presenting the subpoena to the Court for signature.

• HIPAA does not permit health care providers to respond to “a subpoena, discovery request, or other lawful process that is not accompanied by an order of court or

Each report of a breach will include, to the extent possible, the following information: (i) a description of the facts pertaining to the breach, including without limitation,

Within ten (10) days of notice by BEST Life of a request for an accounting of disclosures of PHI, Business Associate and its agents or subcontractors shall make available to BEST

1) Not include Protected Health Information in: (1) information Customer submits to technical support personnel through a technical support request or to community support

The Term of this Agreement shall be effective as of the date first above written and shall terminate when all of the PHI provided by BGA to Business Associate, or created or

In the event that Business Associate determines that returning or destroying the 

Business Associate shall make available to Covered Entity (or, as directed by Covered Entity, to an Individual) such information as Covered Entity may request, and in

shall terminate when all of the PHI provided by CompBenefits to Business Associate, or created or received by Business Associate on behalf of CompBenefits, is destroyed or returned

To the extent that Business Associate maintains Protected Health Information in a Designated Record Set, Business Associate agrees to provide access, at the request of

In addition to the notification requirements in section 3.7 above, and with prior notice to the UNIVERSITY, BUSINESS ASSOCIATE shall take (i) prompt corrective action to remedy

To the extent that Business Associate possesses or maintains Protected Health Information in a Designated Record Set, Business Associate agrees to provide access, at the

Covered Entity may terminate the Underlying Agreement(s) and this Agreement upon thirty (30) days written notice in the event (a) Business Associate does not promptly enter

2.5. Duty to Report. Business Associate shall immediately notify Provider of any use or

Within ten (10) business days of notice by Covered Entity to Business Associate that Covered Entity has received a request for an accounting of disclosures of

Disclose PHI, but only to the minimum extent necessary for the proper management and administration of Business Associate, or to carry out the legal responsibilities of

(g) Business Associate agrees to make its internal practices, books, and records, including policies and procedures and Protected Health Information, relating to the use and

If Business Associate receives Protected Health Information from Covered Entity in a Designated Record Set, then Business Associate agrees to provide access, at the request of

(a) Since the Business Associate is or shall provide services as necessary to perform its obligations to the Covered Entity [as set forth in _________________ (the “Services

Section 2.08 Business Associate will make internal practices, books, and records relating to the use and disclosure of Protected Health Information created, received, maintained

If Covered Entity does not agree that the return or destruction of PHI from Business Associate or its Subcontractors is infeasible, Covered Entity will provide