HIPAA Requirements and PHI Disclosure
By Vanessa Mulnix
Following the 2013 HIPAA amendments, several states followed suit by amending their privacy statutes to help reduce disclosure of protected health information (PHI). That said, you may disclose PHI without patient authorization in certain situations. There also are situations where you may be obligated to disclose PHI.
There are two situations (outlined by HIPAA) where a covered entity is required to disclose PHI:
(1) when the patient makes a valid request1 (with certain limited exceptions2); and (2) when requested by the Department of Health & Human Services to do a HIPAA-compliance audit.3
In addition, one of the most common types of medical record requests is a subpoena. A subpoena differs from a court order in that it is typically signed by a court clerk or attorney, not a judge. If you receive a subpoena, consider several factors prior to responding or objecting.
HIPAA allows a covered entity to disclose PHI “in the course of any judicial or administrative proceeding” in response to an order of a court or administrative tribunal, or a subpoena, discovery request, or other lawful process.4 Each has restrictions.
A disclosure of PHI in response to an order of a court or administrative tribunal is limited to “only the PHI expressly authorized by such order.”
A subpoena signed by an attorney or court clerk must be accompanied by either a signed patient authorization or satisfactory assurances of patient approval/notice. Notice means the individual who is the subject of the PHI was notified of the request and given an opportunity to object.5
Importantly, most states provide extra protection for certain types of PHI. For example, psychotherapy notes require authorization from the patient even if there is a court order compelling production of the medical record.6
Another example of protected PHI is alcohol and/or drug abuse. Absent a few narrow exceptions, a covered entity may not disclose PHI related to alcohol and/or drug abuse without the patient’s express authorization.7
What should your facility do after receiving a subpoena or court order requesting documents? We suggest the following:
1. Determine whether the subject of the request is or was a patient.
2. Review the request to determine whether the information requested is in your possession.
3. Look to see whether the document is a court order signed by a judge or if it is a subpoena signed by a court clerk or attorney.
4. Look to see whether the information requested contains psychotherapy notes, alcohol and/or drug abuse information, or any other protected information based on state law.
5. If the document is a subpoena and not a court order, is it accompanied by theappropriate “satisfactory assurances” required by HIPAA?
6. If you have any doubt, contact your liability insurer or local legal counsel to determine whether the authorization is proper.
Another type of PHI request is one from a law enforcement officer for law enforcement purposes. This may include, but is not limited to, reporting certain types of wounds such as gunshot or knife wounds, grand jury subpoenas, or court-ordered warrants or subpoenas.8
HIPAA allows disclosure of limited information to law enforcement for identifying and locating suspects, fugitives, material witnesses, or missing persons.9 Information that may be disclosed is limited to name and address, date and place of birth, social security number, ABO blood type and Rh factor, type of injury, date and time of treatment, date and time of death (if applicable), and distinguishing physical characteristics.10
Your facility also may be permitted to disclose certain PHI to law enforcement officials for suspected victims of crimes, decedents, crimes on your premises, or reporting a crime in an emergency.11
Each of these instances contains specific provisions and limitations that should be reviewed prior to complying with a request. A common question involves what to disclose after receiving a request. Generally speaking, limit your disclosure to the information outlined in the written request. The request may contain timen restrictions (e.g., care provided between certain dates), treatment restrictions, or occurrence restrictions (e.g., care provided relating to a patient’s broken leg). However, some requests may ask for the entire record. State law defines what constitutes a medical record, and definitions vary. Usually a medical record includes any and all information a healthcare provider has in his or her possession. That may include physicians’ clinical notes, notes from other healthcare providers, billing information, referrals, imaging studies and reports, and phone call notes from another provider.
Here is an example of a medical record definition from Michigan: “Medical record means information oral or recorded in any form or medium that pertains to a patient’s health care, medical history, diagnosis, prognosis, or medical condition and that is maintained by a health care provider or health facility in the process of caring for the patient’s health.”12
Ohio’s definition of a medical record differs slightly. It states a medical record “means data in any form that pertains to a patient’s medical history, diagnosis, prognosis, or medical condition and that is generated and maintained by a healthcare provider in the process of the patient’s health care treatment.”13
These examples are ambiguous about whether items like billing records fit into the definition of a medical record. Be sure to contact your liability insurer or local attorney if you have any questions. Remember when you receive a request for PHI—no matter whether from a court, attorney, or law enforcement official—HIPAA almost always dictates how you respond. Identify your facility’s most common record requests and familiarize yourself with HIPAA and state law that dictate your obligations. This will help streamline your process and aid efficiency.
145 CFR 164.502(a)(2).
245 CFR 164.524 & 164.528.
345 CFR 164.502(a)(2).
445 CFR 164.512(e).
545 CFR 164.512(e).
645 CFR 164.508(a)(2).
742 CFR Part 2.
845 CFR 164.512(f)(1).
945 CFR 164.512(f)(2).
1045 CFR 164.512(f)(2)(i)(A-H).
1145 CFR 164.512(f)(3-6).
12MCL § 333.26263(i).
13ORC § 3701.74(A)(8).
Vanessa Mulnix, RN, BSN, CPHRM, CPHQ, is a ProAssurance Senior Risk Resource Advisor.