Legal consequences flow from the use or abuse of EHR. This monthly column presents examples of what those consequences can be.
Last month I wrote about the possible consequences for a healthcare provider which violated HIPAA when it produced personal health information (PHI) in response to a subpoena. But there are circumstances when PHI or other confidential and “sensitive” information must be produced by a provider during litigation. Information might be sought from a provider that is a party to a particular civil action, or a “non-party” could be subpoenaed.
Potential Reasons the Information is Being Sought
There is nothing nefarious about a party seeking information that might be protected under HIPAA or might otherwise be kept out of the public eye. Here are some examples:
- A person seeks to recover damages for personal injuries sustained in an automobile accident and needs hospital records to show the nature and extent of her injuries.
- A provider is sued for malpractice by a patient and the patient needs records of his care to prove that malpractice occurred.
- A provider has brought suit against an insurer to recover for unreimbursed treatment afforded a group of patients and the insurer seeks detailed treatment records to demonstrate that the charges were not medically necessary.
These examples are related to patient care and obviously implicate HIPAA. In at least one instance, however, the patient herself implicitly authorized the release of her records to her attorney to pursue litigation. Nevertheless, facts related to injuries and treatment can be said to be to “private” or sensitive in nature, such that an individual might not want those made public (just as income and earnings might be so considered). Other examples of confidential information outside the scope of HIPAA might include personal or business income and earnings. Whatever the information, there are ways—albeit imperfect ones—to protect the information from the unrelenting gaze of the public.
Once litigation is commenced (and barring some intervening event), the involved parties engage in discovery. This means that each party can seek information though discovery “devices” such as written interrogatories, demands for production of documents and ESI, and depositions. Generally speaking, any information relevant to a claim or defense in a particular litigation can be demanded. Moreover, non-parties which have information relevant to the litigation can be subpoenaed and compelled to produce relevant information.
Protecting Relevant Information
Assuming that information is relevant, we begin with the proposition that it must be produced in response to a request. There are ways to argue against production itself. For example, a provider could contend that the information is not within its possession, custody, or control. A provider could also argue that the information is, among other things, duplicative or available elsewhere. But, assuming any such arguments fail and production must be made, what protection remains available?
We begin with the proposition that discovery is considered to be a “private event.” That means that the public (and “the public” is often the media) does not have a right to the information. But there is nothing that prohibits the party that secured the information from sharing it with others. What’s the producing party to do to avoid that? The answer is simple: Get a protective order.
Rules of procedure that govern civil litigation in federal and state courts allow a party from which information is sought to apply for an order that could bar or limit a discovery request or put conditions on production. For our purposes, let’s assume that the relevant information must be produced. To protect the information from further dissemination, however, a court can require that the information be kept “confidential”—the information will be disclosed only to the attorney for the party which requested it (this is known as “attorneys’ eyes only”). The court can even bar the attorney from sharing the information—or part of it—from the attorney’s client (this is known as “two-tiered”). Such protective orders should not be entered as a matter of course. Instead, there should be at least a threshold showing that “good cause” exists for information to be protected. And, of course, a protective order could be violated and the proverbial cat be let out of the bag, leading to the confidential information becoming public—whether intentionally or unintentionally.
Safeguarding with the Tools Available
We are left with a simple proposition: There is a way to safeguard information produced in discovery. That safeguard might not be perfect, but nevertheless serves as a means to balance “production” and “confidentiality.” Any individual or business entity which is called on to produce information that is protected by statute, rule, or contract or which is sensitive for one reason or another should be prepared to ask the attorney to protect that information.
Confidentiality in Court
The protections discussed above do not apply to information that might be submitted to a court or discussed at a trial. These situations have a completely different set of rules.
**Editor’s note: The views expressed in this column are those of the author alone and should not be interpreted otherwise or as advice.