One of the purposes of the Health Insurance Portability and Privacy Act of 1996 is to increase consumers' control over their health care information. The regulations that guide HIPAA implementation, which become effective on April 14, 2003, contain minimum national standards for medical information privacy. State laws that provide greater privacy rights to the patient will not be affected by the federal regulations.
But with respect to subpoenas for medical information, it is likely that the federal regulations will grant patients broader privacy rights than existing laws do in many states. Our review of California law, for instance, found that HIPAA will supersede state law in several respects. Consequently, in California at least, the rules concerning medical-record subpoenas will change.
In other states, these changes will depend on the nature of existing law. While what is presented here applies specifically to California, it is instructive on a general level and should encourage providers in any state to learn whether these or similar situations apply to them.
Changes in notice provisions
Under California law, the party requesting medical information must serve a subpoena and a supporting affidavit and notify the patient of its intent at least 10 days before the date the documents must be produced. The provider must be given at least 15 days notice to turn over the documents. The California timetable will not change, but HIPAA regulations will also require that the provider be given written documentation from the party seeking the release of this information that it has attempted to notify the patient about the subpoena, and a written statement that either the patient did not object in a timely manner or that any objection was resolved in favor of disclosure.
This requirement of a written statement is new; subpoenas for medical information will thus become a two-step process, at least in California — the subpoena, then the written statement. These changes will result in a more cumbersome process in obtaining medical records.
"Minimum necessary" requirement
California law does not specify limitations on the extent to which medical records are subject to subpoena in personal-injury actions. The defense, particularly in malpractice suits, typically seeks the widest possible disclosure in searching for existing medical conditions and alternative causes of the injuries claimed by the plaintiff. Predictably, a plaintiff would try to limit the scope of the defense's discovery.
When disputes arise over how much medical information can be disclosed, they are usually handled in trial court and, typically, there is no appellate review of the decision. Generally speaking, most trial court judges have allowed the defense to obtain medical records from the last 5 to 10 years, except where clearly irrelevant records are sought and where their disclosure could embarrass the plaintiff.
This is consistent with California's liberal discovery rule, which says that the plaintiff who places his or her medical condition in issue waives the right to privacy if it is relevant to the injury claim. California defines the scope of discovery as matters that are themselves "admissible in evidence or appear reasonably calculated to lead to the discovery of admissible evidence."
HIPAA may narrow the scope of medical information that can be obtained. Perhaps the most significant change is in its "minimum necessary" requirement. In essence, this says that a person or group that discloses or uses protected health information must make reasonable efforts to limit such activity to the minimum amount of information that would be needed to accomplish the intended purpose.
This is designed to limit the amount of medical information disclosed in litigation. The HIPAA regulations do not define the term "minimum necessary." Whether this will be defined as information that, under California law, is "admissible in evidence or appears reasonably calculated to lead to the discovery of admissible evidence" remains to be decided by the courts. No doubt, the "minimum necessary" requirement will result in a flood of legal action.
The federal regulations seem designed to allow providers to respond to subpoenas without the enormous burden of having to review patients' charts to determine just what is the minimum necessary information to turn over. If the patient has agreed to what HIPAA calls a "qualified protective order," then the information that is disclosed cannot be used for purposes other than the litigation, and the records and all copies of them must be destroyed or returned to the provider when the litigation is over. In this case, the provider may safely turn over information when it is requested.
Without the qualified protective order, disclosure becomes a two-step process. To comply with California law, the provider has at least 20 days to produce the information. Then, in keeping with HIPAA's requirement for documentation, the provider must get a written statement that no outstanding objections to disclosure exist before medical records can be surrendered.
Tug of war
After April 14, 2003, it is inevitable that a plaintiff will try to limit the defense's access to medical information to as narrow a scope as possible. The defense will be just as aggressive in asserting the necessity of the subpoenaed records. Providers risk fines and other penalties if they provide information beyond what would be considered "minimum necessary." The bottom line: Providers will be well advised to refuse to provide health information in response to subpoenas that are not HIPAA-compliant.
Until all concerned become familiar with HIPAA, it seems inevitable that providers who rightfully demand compliance with the regulations will be drawn into court to justify their refusals. Providers will need to be knowledgeable about the new notice and "minimum necessary" requirements.
In the past, when a provider has been served with an unopposed subpoena or court order for an entire patient chart, the whole chart could be copied. However, it is inevitable that, in some instances, providers now will be required to produce less than the entire chart. These are the cases that will burden providers.
Some subpoenas and court orders probably will require that all medical information between specified dates be turned over. For hospitals and primary care physicians, depending on the complexity of the chart, this may require medical personnel to review progress notes, nurses' notes, dictated reports, consultation reports, lab reports, billing records, and other chart components. This is time-consuming and potentially costly.
Where risk enters the picture is a situation that requires the provider to exercise discretion in determining which records to produce. Take, for instance, a subpoena to a medical group for all of a patient's records that relate to a plaintiff's care for diabetes. In some situations, it will be unclear whether some visits or treatments were related to the condition in issue. This gives the provider a Hobson's choice: Disclosing too much information is a HIPAA violation, potentially resulting in suit for violating the patient's privacy; disclosing too little is a failure to respond properly to the subpoena.
The best course in this situation will be to obtain advice from a capable lawyer.