[BreachExchange] Managing PHI Disclosure When a Lawsuit Is Involved—How to Prepare

Audrey McNeil audrey at riskbasedsecurity.com
Mon Apr 2 20:24:13 EDT 2018


http://journal.ahima.org/2018/04/01/managing-phi-disclosure-
when-a-lawsuit-is-involved-how-to-prepare/

Health information management (HIM) professionals must be prepared to
address risks related to release of information (ROI) and protected health
information (PHI) disclosure management when a lawsuit is involved. In the
event of litigation, your organization can expect to receive requests for
patient records regarding a specific encounter or incident.

If your facility is facing a lawsuit, crossover between HIM and risk
management is inevitable. For example, risk management may have electronic
health record (EHR) access, with the ability to pull information as needed
to prepare for an investigation. The situation can be tricky when risk
management has prepared information for the hospital’s attorney, while
opposing attorneys have come through ROI. We’ve seen cases where there are
two sets of records, from different print queues, presented in court.
Ensuring consistent information is critical.

The following hypothetical case study emphasizes the importance of
collaboration among all parties—including HIM, risk management, legal
counsel, compliance, privacy, and data integrity—when release of
information is required as part of a lawsuit.

Case Study Scenario

In response to a lawsuit filed against Hospital A, the facility’s risk
management department has prepared patient health records for in-house
counsel review. Risk managers have a print queue providing information from
both the legal health record and portions of source systems that supply
information to the legal health record. The information concerning “Patient
Z” includes 1,989 pages for evaluation.

At the time, risk management was not aware of current open items for
quality review. Because the record was not placed in legal hold, the
updates to data integrity items were made in the legal health record. The
in-house legal counsel was not aware that updates to the documentation,
made at the request of the data integrity division, clinical documentation
improvement (CDI), had been entered by the physician. Both the surgeon and
the radiologist had used voice-activated transcription technology for their
reports, which were authenticated without complete review for integrity.

Hospital A receives a request from the opposing attorney for patient health
records in preparation for litigation. The subpoena for Patient Z’s health
records is received by the HIM department, ROI division. The employees
assigned to handle release of information have access to various print
queues to perform their task. The ROI division view did include CDI queries
and corresponding physician responses. The opposing attorney receives 2,035
pages of Patient Z’s legal record based on the appropriately assigned print
queue provided in response to the subpoena.

When the two groups begin litigation, it is apparent that they are working
with different sets of information. The opposing attorney questions why he
did not receive all information according to the subpoena. Despite an
explanation of the two health record views and the print queue assignment,
the opposing counsel seems to suspect that Hospital A has attempted to
suppress information. The resolution of the case is delayed, requiring
sealed records submitted to the court and the case presented to a jury.

What went wrong in this case? Hospital A failed on two accounts: to issue a
legal hold to preserve the view provided for legal evaluation, and to
establish an e-discovery process to ensure proper response to the court
system. Had the facility followed information governance policies and
procedures—appointing one group to be the source of health information,
along with thoughtful review regarding the contents of the defined legal
health record for the patient—the case might have been resolved
efficiently, outside of the court system.

Responding to e-Discovery Requests

The transition to EHRs and the advent of telemedicine require increased
responsibility for responding to e-discovery requests. For example,
consider communication between patients and physicians via email or
portals. That information may or may not be in the patient’s health record,
but it is part of the e-discovery process.

HIM experts suggest that all facilities, including small practices, take
proactive measures to prepare for these requests. The most effective
approach will align with an information governance plan that promotes
prompt and accurate response to e-discovery requests. Knowing how to
respond to an e-discovery request ensures HIM professionals are better
prepared in the event of litigation. And learning to navigate the
organization’s EHR system supports overall improved records management.

Four Steps for Responding to EHR Requests

Certifying records requested for the legal process requires that any copy
provided is an exact duplicate of the original. When responding to requests
for EHRs, four steps are recommended:

1. Determine if the request is valid—verify identity and authority of the
requester.

2. Validate that the format of the request meets state legal requirements
for a valid subpoena or court order. Check state law for specific
requirements.

3. Determine the legal power of the document—such as what information may
be disclosed, what authorizations are required, and what state laws apply.

4. Disclose the information to the designated recipient according to the
patient or legal guardian, court, or lawyer designated on the subpoena or
court order.

Best Practices Begin with Collaboration

If a facility faces litigation, the first step is to bring together
everyone involved, with all pertinent documentation, to ensure one unified
view of the information required to meet legal requirements. This tactic is
aligned with centralized PHI disclosure management versus a siloed
approach. Unfortunately, silos exist, which creates risk, slows processes,
and prompts questions—especially if the risk management and HIM print
queues produce inconsistent documentation. If that happens, the opposing
attorney may suspect an attempt to suppress or skew evidence. Once
questions arise, even the true story may seem unbelievable.

Failure to issue legal hold comes up often. Many organizations are not
using legal hold, especially for electronic health records, as they should.
Legal hold preserves all forms of relevant information to avoid evidence
spoliation. Upon notification of intended litigation, a hold should be
issued immediately. Once records are gone or tampered with, it is difficult
if not impossible to reverse that action.

In response to subpoenas, HIM and risk management must work together to
ensure proper disclosure of PHI according to the HIPAA Privacy Rule. Your
legal counsel, both internal and external, is responsible for knowing the
rules and handling subpoenas for patient records. Seek their direction
throughout the legal process—collaboration is essential. Here is a summary
of best practices to consider when lawsuits occur and records are requested:

- Promote collaboration among all involved—HIM, risk management, legal
counsel, compliance, privacy, and data integrity/CDI.
- Ensure one unified view of the information required to meet legal
requirements—consistency is critical.
- Issue legal hold as soon as litigation is anticipated or initiated.
- Use a proactive approach based on information governance policies and
procedures for releasing patient records and protecting privacy.
- Understand HIPAA rules and regulations, along with other state laws and
regulations that apply.
- Establish a process for responding to e-discovery requests.
- Consult as needed with internal and outside legal counsel for guidance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180402/88e110a7/attachment.html>


More information about the BreachExchange mailing list