Requesting Health Records
Oct 14, 2015
First published in the Hawai‘i Bar Journal (the official publication of the Hawai‘i State Bar Association), October 2015 Edition.
by Terri O’Connell
You need health records to help your client. Neither the healthcare provider nor the insurance company are sending you the records you requested and neither entity are parties to your client’s matter. For every frustrated attorney that tries but fails to obtain health records there is an in-house legal counsel or compliance director who is equally frustrated. The in-house legal staff often understands the attorney’s request and need but unless the attorney follows applicable privacy regulations, the health record information being sought will not be forthcoming. Understanding just a few of the federal privacy regulatory obligations, along with a practical perspective, may help reduce future frustrations and ensure a more satisfactory outcome with a transfer of the requested health records.
When Congress passed the Health Insurance Portability and Accountability Act of 1966 (“HIPAA”), Section 264 of HIPAA directed the Secretary of Health and Human Services (“HHS”) to develop regulations as to the privacy of individually identifiable health information. Public Law 104-191. In 2002 and 2003, HHS finalized and promulgated the regulatory standards for the privacy and security of health records and other health information and how the information could be exchanged electronically. Those regulations are commonly known as the Privacy Rule and the Security Rule.1 In 2006, the HIPAA Enforcement Rule final regulations were finalized.2 More regulatory safeguards, particularly of electronic health information, came later through the 2009 HITECH Act.3 Then, in 2013, HHS released what it described as the “final omnibus rule” which amended prior regulations and further strengthened HIPAA’s privacy and security safeguards of protected health information (“PHI”). 78 Fed. Reg. 5566 (January 25, 2013) (codified at 45 C.F.R. Parts 160 and 164). All together, the “HIPAA rules” provide a national standard and a federal floor to safeguard the privacy of PHI, much of which is kept in health records.
HIPAA, like other privacy regulations in the U.S., has the characteristic of protecting data within a business sector. See, Nicolas P. Terry, Protecting Patient Privacy in the Age of Big Data, 81 UMKC L. Rev. 385, 387 (2012). HIPAA applies to the health care sector and within that vertical market only a subset of stakeholders are regulated. Id. While there are downsides to this approach from a general privacy perspective, it does narrow the regulatory scope.
Unlike HIPAA, the Hawai‘i constitution at Article I, § 6, provides its citizens personal privacy protection beyond any industry’s silo of regulations: “The right of the people to privacy is recognized and shall not be infringed without the showing of a compelling state interest. The legislature shall take affirmative steps to implement this right.” The HIPAA regulations recognize HIPAA’s limited privacy applicability, and provide for HIPAA state law preemption and exceptions through 45 C.F.R. Part 160, Subpart B.
The HIPAA Obligations of a Covered Entity
HIPAA is an extensive body of regulations that can quickly overwhelm a reviewer. When obtaining health records and applying HIPAA, the first step is a determination of the status of the entities involved in the matter and understanding their obligations and relationships to other entities.
The starting point for HIPAA compliance begins with a “covered entity”. Covered entities include:
• a health plan; or
• a health care clearinghouse; or
• a health care provider who transmits any health information in electronic form in connection with a transaction.
45 C.F.R. §§ 160.103 and 164.104.
Examples of covered entities include doctors, dentists, pharmacists, chiropractors, clinics, hospitals, nursing homes, pharmacies, health insurance companies, mutual benefit societies, HMOs, claims clearinghouses that transmit claims to insurers, employer group health plans, Medicare, Medicaid, and other government health care programs.4
Covered entities are legally obligated under HIPAA to protect the PHI created, received, collected, used or disclosed about patients. PHI includes information related to health status, provision of health care, or payments for health care that identify an individual or which could identify an individual. 45 C.F.R. § 160.103. It also includes demographic information and other information one might not normally consider PHI such as an account number, an individual’s relative, an employer, or a vehicle, device, or biometric identifier. 45 C.F.R.§ 164.514(b).
Information or data that is not individually identifiable, or has had all identifiers removed, is not PHI and is not subject to HIPAA. 45 C.F.R. § 164.514(a). Similarly, if there is no covered entity then HIPAA is not implicated. Another federal law affecting a different business sector or industry may apply, but not HIPAA.5 Alternatively, a state law or a state constitution such as Hawaii’s constitutional right to privacy may be applicable.6
A Covered Entity’s Relationships
Most covered entities outsource certain services to help them fulfill their health care functions. For example, a medical clinic may subcontract for billing services, or an insurer may arrange for a pharmacy benefits manager to help manage the insurer’s pharmacy network. In these situations, any obligations under HIPAA to protect PHI will flow from the covered entity to the downstream persons or entities, which are known as “business associates” of the covered entity. 45 C.F.R. § 160.103. Workforce members of the covered entity, however, are excluded from the definition of business associate. Id.
Business associates may have a direct relationship with a covered entity for which they provide services causing them to create, receive, maintain, or transmit PHI. They may also be several entities away from the covered entity. Those business associates that are further downstream from the business associate who has a direct relationship with a covered entity, are also known as “subcontractors”. Id.
All entities downstream from the covered entity are legally obligated under HIPAA to safeguard PHI to the extent they create, receive, maintain, or transmit PHI on behalf of the covered entity – no matter how far downstream the PHI flows.7 Downstream entities are also subject to some of the same civil and criminal penalties as covered entities for HIPAA violations.8
For example, assume “Healthy Hospital” subcontracts its emergency room services to “Prompt MD”. Healthy Hospital is the covered entity and Prompt MD is a business associate of Healthy Hospital. Although the emergency room physicians provide their services as the employees of Prompt MD, it is very likely that only Healthy Hospital retains the health records of patients that visit their emergency room. This is in part due to the covered entity wanting to retain full control of the health records and the downstream business associate not wanting to become the custodian of health records. Nevertheless, if the emergency room service health records are needed from Healthy Hospital, a determination should be made as to whether Prompt MD should be ruled out as an entity that has health records.
When PHI flows downstream from a covered entity to a business associate to a subcontractor, generally there must be a contract between the covered entity and the business associate, and the business associate and the subcontractor. 45 C.F.R. § 164.504(e). Under HIPAA, this contract is referred to as a “business associate agreement” or a “BAA”.9 The BAA helps ensure that the PHI flowing downstream is properly safeguarded, and it allows the covered entity to include restrictions and conditions as to the use and disclosures of PHI. Be aware, however, that a business associate becomes a business associate by definition and not by having a BAA with a covered entity.10
For example, assume Healthy Hospital now hires a law firm to represent it and one of its employees in a lawsuit brought by a patient. The law firm then hires “Dr. Consult” as an expert and she has access to the patient’s health records. Under HIPAA, Healthy Hospital is the covered entity and it will have a BAA with the law firm that is a business associate of Healthy Hospital. In turn, the law firm will have a BAA with Dr. Consult because she is a subcontractor of the business associate law firm. Note that when HIPAA is applied to Dr. Consult in her capacity as a physician for her own medical practice she is a covered entity. Although in this example she is not a covered entity because she was hired by the law firm to serve as an expert and she is not acting as a health care provider treating patients. Yet, even as a subcontractor, she still has the same obligations to protect any PHI created, received, maintained or disclosed about Healthy Hospital’s patient. When requesting health records, however, generally the request need only be directed to the covered entity.
Patient Authorization to Release Health Records
The simplest and most efficient method for requesting health records is through the patient’s authorization for release of his or her health information. It is also the method preferred by the covered entities and their custodians of record.
The premise under HIPAA is that the information in a patient’s medical record belongs to the patient.11 With few exceptions, the covered entity, or the business associates if the covered entity has delegated record disclosures, must release the medical records to a patient who properly makes the request.12
Fortunately, HIPAA provides the “core elements” that are required for a valid patient request which is often referred to as a “HIPAA authorization”. 45 C.F.R. § 164.508(c)(1). The authorization must also be written in plain language. 45 C.F.R. § 164.508(c)(3). In addition to the identity of the person or entity from whom the health records are sought, all of the following are required elements of a HIPAA authorization:
1. Individual: The individual patient’s name and other specifics that will identify the particular patient. 45 C.F.R.§ 164.508(c) (1)(ii). Typically, the other specific identifiers include the patient’s address, birthdate, and telephone number. Do not provide the patient’s full social security number if possible, and try to redact to provide only the last four digits.
2. Receiving entity: The identity of the person or entity to whom the information is to be sent, i.e., the third party. 45 C.F.R. § 164.508(c)(1)(iii). Generally, the best identification to use is a name and address because the covered entity needs to know where to send the information.
3. Information requested: A description of the information to be disclosed that is specific and meaningful so the covered entity knows what to send. 45 C.F.R.§ 164.508(c)(1)(i). This is particularly important if the covered entity has many different types of records or information available.
4. Purpose: A brief explanation of the purpose for each information request. 45 C.F.R. § 164.508(c)(1)(iv). Examples of explanations might include “legal purpose,” “at the request of the patient,” “insurance,” or “changing doctors”.
5. Expiration: Expiration date, expiration event, or time frame at which the HIPAA authorization will expire. 45 C.F.R. § 164.508(c)(1)(v).
6. Signature: Signature of the patient and the date. 45 C.F.R.§ 164.508(c)(1)(vi). If the patient’s representative or guardian is signing the HIPAA authorization then indicate the relationship to the patient that provides the authority to act for the patient. Id. If the relationship is anything other than “Mom” or “Dad,” it is likely the covered entity will request the legal documentation demonstrating the representative’s authority to act for the patient. To speed up the process include the legal documentation with the HIPAA authorization when it is sent to the covered entity.
HIPAA also has “required statements” that must be conveyed to the patient to put the patient “on notice”. 45 C.F.R.§ 164.508(c)(2). The statements include all of the following:
1. Re-disclosure possible: The potential for the patient’s information to be re-disclosed and no longer protected by HIPAA. 45 C.F.R. § 164.508(c)(2)(iii). A covered entity should not accept a patient authorization as valid if this potential re-disclosure warning is not on the HIPAA authorization form. Not only is the statement a requirement but it is true. Under HIPAA, the covered entity is tasked with protecting the health record. Once the health record leaves the covered entity and is given to a patient, for example, the patient may do what he or she wishes with their own health record including disclosing their health record to others.13 The same scenario is true for a patient’s representative.
2. Right to revoke: The right to revoke the HIPAA authorization in writing. The statements must also include how the patient can make a revocation of the authorization, and whether there are any exceptions to the revocation. Exceptions may include the covered entity’s disclosures prior to the revocation. 45 C.F.R.§ 164.508(c)(2)(i).
3. No conditions: The HIPAA authorization must be voluntarily signed, and generally the covered entity cannot condition treatment, payment, enrollment or eligibility for benefits on whether the patient signs the HIPAA authorization. 45 C.F.R. § 164.508(c)(2)(ii). There are, however, a few conditional narrow exceptions such as providing research-related treatment. 45 C.F.R.§ 164.508(b)(4).
Common Issues Seen by Covered Entities
The obligation to ensure compliance with HIPAA rests with the covered entities disclosing the PHI, and because they are tasked with protecting the PHI, covered entities take disclosure of health records seriously. When a HIPAA authorization hits the desk of an in-house legal counsel, compliance director, or custodian of records, that person will literally check off each of the above requirements to ensure the health records may be released.
Unfortunately, health care providers, insurers, and other disclosing entities are continually besieged by improper requests for health records. In an effort to assist patients and attorneys some covered entities have developed their own compliant HIPAA authorization form and many post the form on their websites for easy access, along with any fees if applicable. Some covered entities even manage to provide an authorization form in a single page document.
If an attorney or law firm has not developed its own HIPAA authorization form, the simplest method to ensure receipt of health records is to use the covered entity’s HIPAA authorization form if available. To encourage proper completion of their forms, many covered entities provide instructions for a valid authorization, including where to send the request.
Based on experience and a recent informal poll of colleagues that work for covered entities, here is a list of common issues that render HIPAA authorizations defective or do not allow the covered entity to provide the requested health records:
• Failure to complete all of the core elements of the HIPAA authorization. Common examples include failing to provide the purpose for the release of the health records, the relationship of the personal representative to the patient, or the authorization’s expiration date or event. 45 C.F.R. § 164.508(b)(2).
• Core elements that are not valid. An example is the submission of a HIPAA authorization form in which the expiration date or expiration event has passed. All HIPAA authorizations must have an expiration date or event and once that authorization expires a new form must be completed with a new expiration date or event. Id.
• Patient identifiers that do not match the covered entity’s records. One colleague described this issue as a “thorn in my side.” The example provided was when the name and birthdate on the HIPAA authorization are not accurate and do not match the records of the covered entity.
• Sending a cover letter with a patient HIPAA authorization in which the cover letter requests records that differ from what the patient has authorized. Covered entities are bound by the patient’s authorization. Expect the covered entity to only disclose what the patient authorized. Worse yet, is when the covered entity receives only a cover letter requesting records and no patient HIPAA authorization.
• Sending the patient’s HIPAA authorization to the wrong organization. This is a simple and easy mistake to make but there are potential ramifications to attorneys who are business associates of a covered entity that is a client.14
• Handwritten HIPAA authorizations that are not legible. Obviously no one can fulfill a request that cannot be understood.
Defective HIPAA authorizations are so common at the larger covered entities that many have developed at least partially automated denial letters, which explain the reason the health record request cannot be fulfilled. It is unfortunate when delays of health records occur due to improper authorizations because it is inefficient and both the requestor and covered entity can become frustrated.
Even when a proper HIPAA authorization is received, several colleagues made an additional request of attorneys. They expressed that it would be helpful to have three to four weeks to provide a patient’s health records.15 The reason given was that with the advent of electronic health records (“EHRs”), the volume of documents is much larger than the prior paper versions of a single health record stored, for example, by a clinic. Not only is more data being collected due to EHR’s, but the data may be spread over several electronic systems requiring specific downloads to a file for a particular patient.16
Other Options to Obtain Health Records
When an individual patient HIPAA authorization is not possible, the next most efficient and simplest method is to issue a subpoena. Covered entities may disclose health records as long as the covered entity is reasonably sure that the individual patient has received sufficient notice to object to the subpoena. 45 C.F.R. § 164.512(e) (1)(ii)(A).
Again, imagine the people working in-house for the covered entity who are obligated to comply with HIPAA. The first review of the subpoena is to determine its legitimacy and ensure legal authority. Assuming it is a proper subpoena, the covered entity’s second step is to determine if notice has been given to the individual patient who is the subject of the subpoena’s request for disclosure of PHI. The purpose of the notice is to give individuals the opportunity to object to disclosures of their PHI.
Usually the HIPAA compliance problems occur with the second step. Either notice is not given or the covered entity does not have “satisfactory assurance” that notice has been given. 45 C.F.R. § 164.512(e)(1)(iii). Covered entities will require a copy of the notice given to the individual patient along with other documentation demonstrating either that no objections to the release of the PHI were raised or that all objections were resolved. Id.
Rather than providing notice as a reasonable assurance to the covered entity, attorneys can instead seek a “qualified protective order.” 45 C.F.R. § 164.512(e)(1)(ii)(B). Similar to the notice, covered entities will require a written statement and appropriate documentation demonstrating the attorney’s actions. 45 C.F.R. § 164.512(e)(1)(iv).
When attorneys fail to provide the proper documentation, HIPAA does allow the covered entity to obtain its own satisfactory assurances. Covered entities themselves can provide the notice to the individual or seek a qualified protective order. 45 C.F.R. § 164.512(e)(1)(vi). They rarely take that burden on however. Typically, the covered entity will simply reject the attorney’s subpoena with an explanation that the covered entity needs satisfactory assurance that the individual has received notice with an opportunity to object to disclosures of his or her PHI, or that a protective order is forthcoming, all as required by HIPAA.
In part, because of the discretionary aspect afforded by HIPAA, covered entities find subpoenas and other legal processes a distant second alternative to the patient’s HIPAA authorization. Besides having to determine whether the threshold for satisfactory assurance has been met, the regulations support a covered entity’s discretion for disclosure by the use of the word “may”. As provided in 45 C.F.R. § 164.512(e)(1) regarding PHI disclosures, “[a] covered entity may disclose protected health information in the course of any judicial or administrative proceeding.” Also, HHS has stated that it refuses to require rather than permit PHI disclosure pursuant to court orders. See, 65 Fed. Reg. 82462, 82677 (Dec. 28, 2000) (codified at 45 C.F.R. § 164.512(e)).
“Under the statutory framework adopted by Congress in HIPAA, a presumption is established that the data contained in an individual’s medical record belongs to the individual and must be protected from disclosure to third parties.” Id. Let’s reduce the frustration and spend the time to obtain an individual’s HIPAA authorization. The effort is worthwhile because, with limited exceptions, a covered entity must disclose the individual’s health records when presented with a proper HIPAA authorization. A HIPAA-compliant authorization is simply the most efficient and effective method for attorneys to obtain health records and for covered entities to disclose health records.
1 Privacy Rule is at 45 C.F.R. Part 160 and Subparts A and E of Part 164, and the Security Rule is at 45 C.F.R. Part 160 and Subparts A and C of Part 164.
2 The Enforcement Rule is found at 45 C.F.R. Part 160, Subparts C, D, and E.
3 Title XIII of the American Recovery and Reinvestment Act of 2009 is known as the HITECH Act, which stands for “Health Information Technology for Economic and Clinical Health”.
4 See HHS descriptions at www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/index.html.
5 Other federal laws that might be applicable include the Genetic Information Nondiscrimination Act, Americans with Disabilities Act, Family Educational Rights and Privacy Act, Gramm-Leach Bliley Act, Federal Trade Commission Act, or Electronic Communications Privacy Act to name a few.
6 The parameters for privacy protections beyond HIPAA, and through the Hawai‘i constitution, continues to unfold. Under Cohan v. Ayabe, 132 Haw. 408, 421, 322 P.3d 948, 961 (Haw. 2014) the majority concluded that the plaintiff ‘s information could not be used outside of the litigation. The court, however, was not in full agreement as to the reason for the continued protection of the plaintiff ‘s information. The majority held that Hawaii’s constitution precluded release of the information outside of the litigation, whether or not the information was de-identified. See id. at 419, 322 P.3d at 959. The minority would have relied on HIPAA to deny the release of information outside the litigation because of the defendant’s failure to properly follow HIPAA’s de-identification process. See id. at 426, 322 P.3d at 966. More recently, whether the Hawai‘i constitution protects a non-party’s de-identified health information in discovery was raised. See, Pac. Radiation Oncology, LLC v. Queen’s Med. Ctr., No. CIV. 12-00064 LEK-KS, 2015 WL 419654, at *11 (D. Haw. Jan. 30, 2015) in which the court certified to “the Hawai’i Supreme Court the question of whether a non-party patient’s de-identified medical records are discoverable in a civil action between the patient’s physician and the facility where the patient had a consultation and/or treatment”.
7 42 U.S.C. §§ 17931(a) and 17934(a). See also,45 C.F.R. § 164.308 for administrative safeguards, 45 C.F.R. § 164.310 for physical safeguards, 45 C.F.R. § 164.312 for technical safeguards, and 45 C.F.R. § 164.316 for policies and procedures.
8 42 U.S.C. §§ 17931(b), 17934(c), and 1320d-5. See also, 45 C.F.R. § 160, Subpart D.
9 The Office for Civil Rights has provided an example of a BAA at http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/contractprov.html.
10 See 78 Fed. Reg. 5566, 5598 (Jan. 25, 2013) (codified at 45 C.F.R. § 164.502), in which HHS states:
The final rule establishes that a person becomes a business associate by definition, not by the act of contracting with a covered entity or otherwise. Therefore, liability for impermissible uses and disclosures attaches immediately when a person creates, receives, maintains, or transmits protected health information on behalf of a covered entity
11 In the Preamble to the final rule, 65 Fed. Reg. 82462, 82677 (Dec. 28, 2000) (codified at 45 C.F.R. § 164.512(e)) HHS responded to a public comment that HHS should require rather than permit disclosure under court orders:
Under the statutory framework adopted by Congress in HIPAA, a presumption is established that the data contained in an individual’s medical record belongs to the individual and must be protected from disclosure to third parties. The only instance in which covered entities holding that information must disclose it is if the individual requests access to the information himself or herself.
12 There are few exceptions to the release of a patient’s health records. See 45 C.F.R. § 164.524. Despite the general mandate to release a patient’s records to a patient that makes a proper request, medical providers may not willingly do so. The Office of Civil Rights (“OCR”) has cited several medical providers for failure to release health records when properly requested to do so. See OCR examples at http://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/allcases.html. ; The caution occasionally expressed by medical providers in releasing health records is understandable, however, they can upset patients and violate HIPAA by inappropriately denying access. A recent example came from a colleague who works for a health care provider. It seems the staff was stalling the release of medical records to the proper personal representative of a patient. The colleague took the opportunity to educate the staff by pointing out that not only does the patient’s representative have a right to access the health records but all that is accomplished by delay is an erosion of the representative’s trust.
13 As a result of Cohan v. Ayabe, 132 Haw. 408; 322 P.3d 948 (Haw. 2014) there has been some confusion as to the re-disclosure statements on a HIPAA authorization form. There have been attempts to submit HIPAA authorizations to covered entities without the HIPAA-required re-disclosure statement. Cohan, however, does not require that the re-disclosure statement be removed. Id. at 422-23, 322 P.3d at 962-63. In Cohan, the defendant Marriott wanted the plaintiff ‘s HIPAA authorization to allow a non-party covered entity to release the plaintiff ‘s health records to Marriott. The Cohan court found the re-disclosure statement as it applied to Marriott was not appropriate because it allowed Marriott to use the health information outside the litigation. Id. To limit Marriott’s use of the records to the litigation once the covered entity released the records to Marriott, a stipulated protective order was modified and used. Id. at 423, 322 P.3d at 963. The re-disclosure statement as it applied to the non-party covered entity was not at issue.
14 Assume the attorney who sent the authorization received the patient’s PHI from a client that is an insurer. Also assume the attorney has a BAA with the insurer. The HIPAA authorization contained PHI such as the name of the patient, an address, a health care provider, and may have included more sensitive information such as a diagnosis. At a minimum, the attorney that sent the HIPAA authorization to the wrong organization should review: (1) the BAA to determine if the matter must be reported to the insurer and (2) any internal HIPAA policies and procedures at the law firm regarding a potential breach. In this example, it is likely a risk assessment as to the probability of a breach would have to be performed. 45 C.F.R. § 164.402. Although there is a low probability of a breach if the wrong organization is a covered entity, the risk assessment performed should be documented by the business associate attorney because the burden is on the business associate to demonstrate that a breach did not occur. 45 C.F.R. § 164.414(b).
15 HIPAA allows thirty days for production of records. Haw. Rev. Stat. § 622-57 allows only ten days when an attorney requests the records with proper patient authorization. Ten days may have been reasonable during the era of paper records but covered entities appear to need more time with electronic health records.
16 See, Sharona Hoffman, Employing E-Health: The Impact of Electronic Health Records on the Workplace, Kan. J.L. & Pub. Pol’y, Spring 2010, at 409, 410-11 (2010)
EHRs will also impact workplace litigation involving medical data. EHRs may be more difficult than paper records to produce and review. Because EHRs can consolidate information from all of a patient’s doctors and require input of many more details than are traditionally noted in paper files, they can be voluminous.