HHS Issues New HIPAA Privacy FAQs Regarding Litigation and Legal Matters

The Office of Civil Right Division of the United States Department of Health and Human Services (HHS) has issued nine new FAQs regarding the use and disclosure of protected health information (PHI) by covered entities related to litigation and legal proceedings.

The implementation of the Privacy Rule under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) raised many practical questions by covered entity health care providers on how to implement the requirements when releasing PHI to attorneys in the context of litigation. Among others, how should a covered entity handle the release of PHI when responding to discovery requests, subpoenas and court orders. What responsibilities does an attorney meeting the definition of a business associate have under the Privacy Rule and can the attorney share PHI with others involved in the litigation.

Although I have not had a chance to fully review the new FAQs I will be interested to see whether the FAQs address all of the issued raised in a letter submitted to OCR on October 28, 2003, by a task force of the American Health Lawyers Association (“AHLA”) Health Information Technology Practice (“HIT”) Group.

The new FAQs address the following questions. Click on the "Answer" link to go directly to the HHS FAQ answer.

1. May a covered entity that is a plaintiff or defendant in a legal proceeding use or disclose protected health information for the litigation? Answer.
2. May a covered entity that is not a party to a legal proceeding disclose protected health information in response to a subpoena, discovery request, or other lawful process that is not accompanied by a court order? Answer.
3. In providing legal services to a covered entity, must a lawyer who is a business associate require that those persons to whom it discloses protected health information agree to abide by the privacy restrictions and conditions that apply to the lawyer? Answer.
4. May a covered entity use or disclose protected health information for litigation? Answer.
5. What “satisfactory assurances” must a covered entity that is not a party to the litigation receive before it may respond to a subpoena without a court order? Answer.
6. When must a covered entity account for disclosures of protected health information made during the course of litigation? Answer.
7. For disclosures for judicial and administrative proceedings, when is a copy of the subpoena itself sufficient satisfactory assurance of notice to the individual? Answer.
8. For disclosures for judicial and administrative proceedings, can notice be provided to the individual's lawyer instead of the individual? Answer.
9. May a covered entity disclose protected health information in response to a court order? Answer.