HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAA/LAW: Legal Q/A Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAA/LAW:
January 2004

"Disclosure of PHI in Lawsuits"

by Steve Fox & Rachel Wilson, Esqs., Pepper Hamilton LLP

QUESTION: Our physician practice is defending a malpractice suit filed by a former patient. The patient's attorney has requested the name, address, telephone number, and certain medical records of our entire patient list. Can we disclose this information without patient authorization or a subpoena?

ANSWER: No. In general, covered entities may only use or disclose protected health information ("PHI") without patient authorization in connection with treatment or payment activity, or in support of the entity's healthcare operations.

The HIPAA Privacy Rule (the "Privacy Rule") does not require patient authorization prior to making a disclosure of PHI in response to a subpoena, but this exception only applies where certain specific requirements are satisfied. In particular, covered entities may disclose PHI without patient authorization in response to a subpoena so long as the covered entity receives satisfactory assurance (as further defined in the Privacy Rule) from the party requesting the disclosure that reasonable efforts have been made to:

  1. ensure that the individuals who are the subject of the requested information have been notified of the request; or
  2. secure a qualified protective order that meets the requirements set forth under the Privacy Rule.

It is equally important to remember that HIPAA's minimum necessary rule applies to disclosures made in response to a subpoena. However, the minimum necessary requirement is not a strict standard to be applied uniformly in each and every circumstance. Rather, in connection with non-routine disclosures of PHI, such as the disclosure contemplated by your question, the minimum necessary requirement is intended to be used as a tool to assist covered entities in making a determination on a case-by-case basis about what constitutes a reasonable disclosure of information. Even assuming the patient's attorney served you with a subpoena, your practice group would need to conduct its own analysis about whether the scope and breadth of the request is reasonably necessary to accomplish its intended purpose, namely to identify information that could be used to support the patient's malpractice claim. Any response to such request should be narrowly tailored to limit the amount of PHI disclosed.

Read past HIPAA Legal Q/A articles.

Steve Fox, Esq., is a partner at the Washington, DC office of Pepper Hamilton LLP, www.pepperlaw.com . This article was co-authored by Rachel H. Wilson, Esq., an associate of Pepper Hamilton LLP. They may be reached at foxsj@pepperlaw.com. Disclaimer: This information is general in nature and should not be relied upon as legal advice.

Go to TOP