Requests for Medical Records, HIPAA, and Litigation

Private party lawsuits in which one party (or both parties) allege physical or mental injury for which medical treatment was sought, inevitably drag the HIPAA Privacy Rule – and its definition of the word “authorization” – into the proceedings, when requests for medical records are made. 

Requests for Medical Records: No Problem So Far

In a typical personal injury lawsuit scenario, Plaintiff asserts an injury, and seeks compensation for (among other things) medical expenses incurred in treating the injury. Defendant, through the process of “discovery” (the use of various devices such as written questions for information and documents), then sends requests for medical records to the Plaintiff’s physicians and other medical providers.

Enter the Physician

The physician or other covered entity receiving the request may have every intention in the world of responding to the request, but at the same time, the physician may feel that the HIPAA Privacy Rule somehow constrains – or eliminates – his or her ability to do so. The physician may, instead of sending the requested records, contact Defendant’s attorney, lamenting (perhaps contentiously) that “HIPAA is tying my hands.” Eventually, the physician, and perhaps even both Plaintiff’s and Defendant’s respective attorneys, may become embroiled in an argument over what medical records can or cannot be disclosed, and what and “how much” written authorization is required for the record to be disclosed.

The wording of the HIPAA Privacy Rule should put these controversies to rest.

The “Disclosures for Judicial and Administrative Proceedings” Provision

The HIPAA Privacy Rule subsection, “Disclosures for Judicial and Administrative Proceedings,” also known as the “Proceeding Response Rule,” authorizes covered entities (or business associate on behalf of a covered entity) to disclose protected health information (PHI) in response to both: 

  • A subpoena or request for medical records not involving a court or administrative tribunal order
  • An order of a court or administrative tribunal

Compliance with a court or administrative tribunal order, in a manner that does not violate the HIPAA Privacy Rule, is effected by the covered entity’s disclosing only that PHI expressly authorized to be disclosed in the order.

When a covered entity receives a request for medical records, or subpoena, that is not accompanied by a request for medical records that is not accompanied by an order of a court or administrative tribunal, the covered entity may disclose the PHI if:

  • The covered entity receives satisfactory assurance, from
  • The party seeking the information, that 
  • Reasonable efforts have been made, by the party seeking the information, to ensure that
  • The individual who is the subject of the protected health information that has been requested, and
  • Has been given notice of the request.

Satisfactory assurance is given, when the covered entity receives a written statement and documentation from the party seeking the PHI, demonstrating that: 

  • The party requesting the PHI has made a good faith attempt to provide written notice to the individual from whom the PHI is sought; and
  • The notice included sufficient information about the litigation in which the PHI is requested to allow the individual to raise an objection to the court or administrative tribunal; and
  • The time for the individual to raise objections to the court or administrative tribunal has elapsed, and:
    • No objections were filed; or
    • All objections filed by the individual have been resolved by the court or administrative tribunal, and the disclosures being sought are consistent with the resolution.

When contemplated in the abstract, almost any power can look or sound confusing. Once the power to receive medical records under the Proceeding Response Rule is properly understood, by a reading of the rule in its entirety, the confusion about requests for medical records and with it, potential arguments – should go away.