[BreachExchange] HIPAA Spring Check-Up: Your Obligations to Safeguard Third-Party Patient Health Information in Medical Records Produced in Litigation

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 26 15:19:29 EDT 2017


And, if your organization is facing a request seeking records or other
materials that may contain patient health information (“PHI”), it bears
repeating that while HIPAA provides a number of methods through which
covered entities that hold records containing PHI may produce such records,
these guidelines are closely enforced by courts.

By way of reminder, consent of the subject of the PHI is not a prerequisite
to its production under HIPAA and the statute offers three
litigation-related alternatives to obtaining consent from the subject of
the implicated records. Specifically, 45 C.F.R. § 164.512(e) permits a
covered entity to disclose PHI in the course of any judicial or
administrative proceeding where:

- the party seeking the PHI obtains a court order governing the production
of the records;

- the covered entity receives a written statement and documentation from
the party seeking the PHI that it provided notice of the ligation to the
subject, identified that the subject’s PHI was implicated in the request,
gave the subject an opportunity to object, and received no such objection;

- the party seeking the PHI demonstrates the existence of a court-endorsed
protective order that prohibits the parties from using or disclosing the
PHI for any purpose other than the underlying litigation and requires the
return to the covered entity or destruction of the PHI at the end of the

However, as the United States District Court for the District of Kansas
recently reiterated, even where the disclosure of PHI is permitted or
permissible under HIPAA, any PHI should be produced in “de-identified”
redacted format unless the subject of the medical records is a party to the
lawsuit or the identity of the subject of the medical records is directly
relevant to the claims and issues in the underlying case.  See Duffy v.
Lawrence Mem. Hosp., 2017 U.S. Dist. LEXIS 49583 (D. Kan. Mar. 31, 2017).

In Duffy, a false claims case, the parties had in place a protective order
that the Court acknowledged bound the parties to keep the contents of the
medical records produced confidential.  However, that was not the end of
the inquiry with respect to the production of the records that the
Plaintiff argued it needed to show the extent to which the Hospital
falsified records to obtain higher Medicare and Medicaid payments.

The issue of de-identification arose in association with the Hospital’s
motion to modify a previous discovery order compelling it to produce more
than 15,000 patient records responsive to the Plaintiff’s document
requests.  As grounds for the motion, the Hospital represented that
responding to the Plaintiff’s requests as contemplated by the Court’s
discovery order would take 8,982 working hours and cost $230,000, including
redactions that would take ten reviewers fourteen days at a cost of
$37,259.50.  The Plaintiff argued that there was no need for redaction
because the Plaintiff was bound under the terms of the stipulated
protective order to keep patient information produced confidential.

While the Plaintiff made a creative argument given the scope of 45 C.F.R. §
164.512(e), she missed the key distinction between medical records specific
to one of the parties in the underlying case and those of third parties.
Specifically, the Court stated that, while it had “full confidence in the
parties’ adherence to the terms of the protective order,” the medical
records at issue related to patients who were not parties to the action and
whose personal confidential information the Defendant had a legal duty to
safeguard.  For this reason, the Court directed the Defendant to produce
the records only after redacting any PHI.

Doctor’s Orders

So the lesson is clear: if your organization maintains vast amounts of
records that contain PHI of any kind, be them medical records, clinical
trial-related materials, correspondence with governmental agencies or other
sensitive materials, even where a protective order is in place, make sure
to consider and discuss with counsel redacting any PHI in records to be
produced wherever the records involve unrelated third party subjects.
Remember, this is true even where records may not contain full names (or
names at all), social security numbers, or birth/death dates.

Your HMO (“HIPAA Maintenance and Organization”)

What PHI should covered providers be watchful for, even within materials
that are not medical records in the tradition sense, to ensure produced
records are de-identified?  Be on the lookout for the following:

- Names

- All geographic subdivisions smaller than a state, including street
address, city, county, precinct, zip code, and their equivalent geocodes[1]

- All elements of dates (except year) for dates directly related to an
individual, including birth date, admission date, discharge date, date of
death; and all ages over 89 and all elements of dates (including year)
indicative of such age, except that such ages and elements may be
aggregated into a single category of age 90 or older

- Telephone numbers

- Fax numbers

- Electronic mail addresses

- Social security numbers

- Medical record numbers

- Health plan beneficiary numbers

- Account numbers

- Certificate/license numbers

- Vehicle identifiers and serial numbers, including license plate numbers

- Device identifiers and serial numbers

- Web Universal Resource Locators (URLs)

- Internet Protocol (IP) address numbers

- Biometric identifiers, including finger and voice prints

- Full face photographic images and any comparable images

- Any other unique identifying number, characteristic, or code (including
clinical trial numbers)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170526/84cbee4f/attachment.html>

More information about the BreachExchange mailing list