Email Page

Okay, so you have finally reached the point where you are so fed up with the malpractice lawsuit climate that you are willing to go to bat for one of your colleagues by discussing your care and treatment of the patient with defense counsel despite the absence of a signed consent form from the patient. Considering that a patient waives the physician-patient privilege by filing a medical malpractice suit your decision not only reflects your own personal conviction that the truth should be known to all concerned but is also in step with current Texas Law on the issue. So long as your discussion is limited to relevant matters, ex parte communication with defense counsel should be treated no differently than ex parte communication with Plaintiff's counsel in Texas. Indeed, over the past 15 months or so, I have given a number of seminars to physicians aimed at reducing risk of litigation and have urged treating doctors who are not involved in the lawsuit to freely engage in relevant ex parte conversations with defense counsel based on the very same authority. So what has changed? HIPAA - that's what!! These new Regs. are heavy - the sheer weight of paper utilized to set out all of the requirements of the Federal Regulations which have imposed such onerous burdens on your administrative offices relative to patient privacy suggests that the new rules ought to be known as HIPAA-potamus. If you are in touch with your front office staff as you should be, then you know exactly what I mean.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) contains standards for privacy of individually identifiable health information ("Privacy Rule") which address the use and disclosure of individuals' health information - called "protected health information" by organizations subject to the Privacy Rule - called "covered entities," as well as standards for the individuals' privacy rights to understand and control how their health information is used. In essence, the Privacy Rule sets out strict guidelines relative to how you and or your office can use and or disclose health information with and or without a written consent from the patient. The provisions attempt to deal with just about every imaginable circumstance wherein information about your patient may be used or disclosed to third parties or entities.

For our purposes here, the regulations specifically permit the use and disclosure of protected health information without a patient's written consent in the context of litigation. However, notwithstanding that fact, the disclosure must meet strict guidelines. Title 45, Part 164, Subpart E, Section 164.512 states:

A "covered entity" [you and your practice] may use or disclose protected health information without the written consent or authorization of the individual as described in Sects. 164.506 and 164.508, respectively, or the opportunity for the individual to agree or object as described in Sec. 164.510, in the situations covered by this section, subject to the applicable requirements of this section. When the covered entity is required by this section to inform the individual of, or when the individual may agree to a use or disclosure permitted by this section, the covered entity's information and the individual's agreement may be given orally.

(a) Standard: Use and disclosures required by law. (1) A covered entity may use or disclose protected health information to the extent that such use or disclosure is required by law and the use or disclosure complies with and is limited to the relevant requirements of such law. (2) A covered entity must meet the requirements described in paragraph (c), (e), or (f) of this section for uses or disclosures required by law.

(e) Standard: Disclosures for judicial and administrative proceedings: (1) Permitted disclosures. A covered entity may disclose protected health information in the course of any judicial or administrative proceeding:

(i) in response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order; or

(ii) in response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if:

(A) the covered entity receives satisfactory assurance, as described in paragraph (e) (1) (iii) of this section, from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is the subject of the protected health information that has been requested has been given notice of the request; or

(B) the covered entity receives satisfactory assurance, as described in paragraph (e) (1) (iv) of this section, from the party seeking the information that reasonable efforts have been made by such party to secure a qualified protective order that meets the requirements of paragraph (e) (1) (v) of this section.

(iii) For the purposes of paragraph (e) (1) (ii) (A) of this section, a covered entity receives satisfactory assurances from a party seeking protected health information if the covered entity receives from such party a written statement and accompanying documentation demonstrating that:

(A) the party requesting such information has made a good faith attempt to provide written notice to the individual )or, if the individual's location is unknown, to mail a notice to the individual's last know address);

(B) the notice included sufficient information about the litigation or proceeding in which the protected health information is requested to permit the individual to raise an objection to the court or administrative tribunal.; and


(C) the time for the individual to raise objections to the court or administrative tribunal has elapsed, and:

(1) no objections were filed; or

(2) all objections filed by the individual have been resolved by the court or the administrative tribunal and the disclosures being sought are consistent with such resolution.

(iv) For the purposes of paragraph (e) (1) (ii) (B) of this section, a covered entity receives satisfactory assurances from a party seeking protected health information, if the covered entity receives from such party a written statement and accompanying documentation demonstrating that:

(A) the parties to the dispute giving rise to the request have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute; or

(B) the party seeking the protected health information has requested a qualified protective order from such court or administrative tribunal.

v) For purposes of paragraph (e) (1) of this section, a qualified protective order means, with respect to protected health information requested under paragraph (e) (1) (ii) of this section, an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation or administrative proceeding that:

(A) prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and

(B) requires return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding.

(v) Notwithstanding paragraph (e) (1) (ii) of this section, a covered entity may disclose protected health information in response to lawful process described in paragraph (e) (1) (ii) of this section without receiving satisfactory assurance under paragraph (e) (1) (ii) (A) or (B) of this section, if the covered entity makes reasonable efforts to provide notice to the individual sufficient to meet the requirements of paragraph (e) (1) (iii) of this section or to seek a qualified protective order sufficient to meet the requirements of paragraph (e) (1) (iv) of this section.

The Act further provides for civil money penalties for a covered entity's failure to comply with the Privacy Rule requirement. The penalties include $100 per failure and up to $25,000 per year for multiple violations in a calendar year. The Department of Health and Human Services may not impose a civil money penalty under specific circumstances, such as when a violation is due to reasonable cause and did not involve willful neglect and the covered entity corrected the violation within 30 days of when it knew or should have known of the violation.

Criminal penalties may be imposed if a person knowingly obtains or discloses individually identifiable health information in violation of HIPAA. Such a violation carries up to $50,000 in fines and a potential for one year in jail. These penalties increase to $100,000 and up to five years imprisonment if the wrongful conduct involves false pretenses, and up to $250,000 and up to ten years imprisonment if the wrongful conduct involves the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.

As you can plainly see, use and disclosure of PHI is not an easy subject to deal with under HIPAA. While record production will be relatively easy as long as the appropriate subpoena or other recognized documentation accompanies the request, oral discussions clearly appear too risky and carry too much potential for violation of the statute. Notwithstanding the fact that the statute carves out exceptions in the context of lawsuits, it is certainly no longer as simple as merely answering a telephone call and engaging in a free discussion of your care and treatment of a patient, even if Texas law says that it is okay. Given the potential for the penalties cited above, and until the statutory burden is made lighter and or federal courts open the way for free discussion under these provisions, you are best served by politely refusing to discuss the patient's case with an attorney absent a signed authorization and or in the context of a deposition or court appearance.

Until next time, remember - While most hippos' look innocent enough, this HIPAA has real teeth!!!