The HIPAA Minefield: Lawyers and the Treating Provider
By Gregory G. Sewell, Bouhan Falligant LLP
Special to Business in Savannah
The Health Insurance Portability and Accountability Act — more commonly known as HIPAA — celebrated its 20th anniversary last year. HIPAA was passed to protect patient health information and set national standards for the confidentiality, security and communication of personal health information. HIPAA applies to health care providers, among others, as “covered entities”; and, violations of HIPAA can result in damage to a health care practice’s reputation, in addition to criminal and civil fines ranging from $10,000 to $50,000 per violation. HIPAA was expanded in 2009 under the Health Information Technology for Economic and Clinical Health Act, commonly known as HITECH.
Most health care providers are familiar with the HIPAA regulations more commonly referred to as the HIPAA Privacy Rule, but not all providers are entirely clear when it concerns the specific parameters surrounding communications with attorneys relating to civil litigation.
In many cases, informal attorney-provider communications that occur in the context of pre-trial civil litigation occur between a treating health care provider and a patient-plaintiff’s attorney. When this communication occurs, all that is required is the patient-plaintiff’s execution of a HIPAA-compliant authorization for the use and disclosure of protected health information. Health care providers and their offices are generally quite familiar with these types of authorizations and they are easily obtained from a patient-plaintiff’s personal injury attorney. There is no requirement under HIPAA that a health care provider communicate informally with a patient-plaintiff’s attorney in connection with civil litigation because information contained in a health care provider’s memory is not subject to the patient’s right of access under the HIPAA Privacy Rule.
The water becomes murkier, however, when a health care provider is contacted by a defense attorney to discuss a patient-plaintiff’s care in connection with a lawsuit filed by the patient. This uncertainty can complicate all informal communications with defense counsel in civil litigation. So, the question typically becomes: what, if anything, can the provider discuss with the defense lawyer? Two Georgia Supreme Court cases address this very topic.
In 2008, Moreland v. Austin reversed the decision of the Georgia Court of Appeals and ruled that informal communications between defense counsel and a patient-plaintiff’s prior treating physicians are covered by HIPAA’s Privacy Rule. This means defense attorneys are prohibited from discussing the patient-plaintiff’s medical history, or other protected health information, without first complying with HIPAA regulations. And, compliance means that the defense lawyer must obtain a HIPAA-compliant authorization, resolve himself or herself to taking a formal deposition of the provider, or obtain a Court order, called a Qualified Protective Order, outlining the parameters of informal communications.
In the current litigation climate, it is highly unlikely that a health care provider will receive a HIPAA authorization allowing the provider to have informal communications with a defense attorney. The formal deposition process allows a defense attorney to ask questions of the provider, under oath, concerning their care and treatment of the patient-plaintiff with plaintiff’s counsel present, but it does not permit informal communications with the provider. The existence of a Qualified Protective Order may permit defense counsel in litigation to meet informally with certain specified treating health care providers who took care of the plaintiff-patient, but counsel must do so under the parameters outlined in the Order.
In 2010, Baker v. Wellstar Health Systems further clarified the Moreland v. Austin ruling, particularly as it relates to when a Qualified Protective Order may be issued and what must be contained in a Qualified Protective Order. As a result of Baker, Qualified Protective Orders issued by Georgia courts will contain very specific parameters that will govern the communication that can take place between defense counsel and a patient-plaintiff. Thus, it is important for the provider to obtain and familiarize himself or herself with the Qualified Protective Order prior to meeting with defense counsel to ensure compliance with the Order.
Under the Moreland ruling, in the absence of a HIPAA-compliant authorization or a Qualified Protective Order, a treating health care provider may only discuss with defense counsel logistical items that occasion the scheduling of a formal deposition. As long as no protected health information of the patient-plaintiff (beyond necessary identifying information) is disclosed, no improper informal communications have occurred. So, if a defense lawyer or a paralegal contacts a medical practice or a health care provider about meeting to discuss the care and treatment of a patient-plaintiff, but tells the provider they cannot talk about a patient’s medical information, it is not because they are being evasive. They are simply not allowed to say anything.
When asked to speak with an attorney, whether informally or by deposition, health care providers should take care to ensure that they comply with the HIPAA Privacy Rule before disclosing any protected health information pertaining to a patient who might also be a plaintiff in pre-trial civil litigation. Many professional liability insurance policies provide legal representation for situations where health care providers are asked to meet informally with an attorney or to provide deposition testimony in a civil lawsuit, even when the request is made by counsel for the patient-plaintiff pursuant to a HIPAA authorization. Health care providers should consider retaining counsel when requests for meetings or depositions are received from plaintiff’s or defense counsel to ensure that the health care provider is adequately protected generally and under HIPAA.
Attorney Gregory G. Sewell is a partner at Bouhan Falligant LLP. His practice focuses on medical malpractice defense, personal injury defense and business litigation. He can be reached at 912-644-5738 or email@example.com