T. Emmet Thornton

T. Emmet Thornton

One of the purposes of the Health Insurance Portability and Privacy Act of 1996 is to increase consumers' control over their health care information. The regulations that guide HIPAA implementation, which become effective on April 14, 2003, contain minimum national standards for medical information privacy. State laws that provide greater privacy rights to the patient will not be affected by the federal regulations.

But with respect to subpoenas for medical information, it is likely that the federal regulations will grant patients broader privacy rights than existing laws do in many states. Our review of California law, for instance, found that HIPAA will supersede state law in several respects. Consequently, in California at least, the rules concerning medical-record subpoenas will change.

In other states, these changes will depend on the nature of existing law. While what is presented here applies specifically to California, it is instructive on a general level and should encourage providers in any state to learn whether these or similar situations apply to them.

Changes in notice provisions

Under California law, the party requesting medical information must serve a subpoena and a supporting affidavit and notify the patient of its intent at least 10 days before the date the documents must be produced. The provider must be given at least 15 days notice to turn over the documents. The California timetable will not change, but HIPAA regulations will also require that the provider be given written documentation from the party seeking the release of this information that it has attempted to notify the patient about the subpoena, and a written statement that either the patient did not object in a timely manner or that any objection was resolved in favor of disclosure.

This requirement of a written statement is new; subpoenas for medical information will thus become a two-step process, at least in California — the subpoena, then the written statement. These changes will result in a more cumbersome process in obtaining medical records.

"Minimum necessary" requirement

California law does not specify limitations on the extent to which medical records are subject to subpoena in personal-injury actions. The defense, particularly in malpractice suits, typically seeks the widest possible disclosure in searching for existing medical conditions and alternative causes of the injuries claimed by the plaintiff. Predictably, a plaintiff would try to limit the scope of the defense's discovery.

When disputes arise over how much medical information can be disclosed, they are usually handled in trial court and, typically, there is no appellate review of the decision. Generally speaking, most trial court judges have allowed the defense to obtain medical records from the last 5 to 10 years, except where clearly irrelevant records are sought and where their disclosure could embarrass the plaintiff.

This is consistent with California's liberal discovery rule, which says that the plaintiff who places his or her medical condition in issue waives the right to privacy if it is relevant to the injury claim. California defines the scope of discovery as matters that are themselves "admissible in evidence or appear reasonably calculated to lead to the discovery of admissible evidence."

HIPAA may narrow the scope of medical information that can be obtained. Perhaps the most significant change is in its "minimum necessary" requirement. In essence, this says that a person or group that discloses or uses protected health information must make reasonable efforts to limit such activity to the minimum amount of information that would be needed to accomplish the intended purpose.

This is designed to limit the amount of medical information disclosed in litigation. The HIPAA regulations do not define the term "minimum necessary." Whether this will be defined as information that, under California law, is "admissible in evidence or appears reasonably calculated to lead to the discovery of admissible evidence" remains to be decided by the courts. No doubt, the "minimum necessary" requirement will result in a flood of legal action.

The federal regulations seem designed to allow providers to respond to subpoenas without the enormous burden of having to review patients' charts to determine just what is the minimum necessary information to turn over. If the patient has agreed to what HIPAA calls a "qualified protective order," then the information that is disclosed cannot be used for purposes other than the litigation, and the records and all copies of them must be destroyed or returned to the provider when the litigation is over. In this case, the provider may safely turn over information when it is requested.

Without the qualified protective order, disclosure becomes a two-step process. To comply with California law, the provider has at least 20 days to produce the information. Then, in keeping with HIPAA's requirement for documentation, the provider must get a written statement that no outstanding objections to disclosure exist before medical records can be surrendered.

Tug of war

After April 14, 2003, it is inevitable that a plaintiff will try to limit the defense's access to medical information to as narrow a scope as possible. The defense will be just as aggressive in asserting the necessity of the subpoenaed records. Providers risk fines and other penalties if they provide information beyond what would be considered "minimum necessary." The bottom line: Providers will be well advised to refuse to provide health information in response to subpoenas that are not HIPAA-compliant.

Until all concerned become familiar with HIPAA, it seems inevitable that providers who rightfully demand compliance with the regulations will be drawn into court to justify their refusals. Providers will need to be knowledgeable about the new notice and "minimum necessary" requirements.

Maximum headaches

In the past, when a provider has been served with an unopposed subpoena or court order for an entire patient chart, the whole chart could be copied. However, it is inevitable that, in some instances, providers now will be required to produce less than the entire chart. These are the cases that will burden providers.

Some subpoenas and court orders probably will require that all medical information between specified dates be turned over. For hospitals and primary care physicians, depending on the complexity of the chart, this may require medical personnel to review progress notes, nurses' notes, dictated reports, consultation reports, lab reports, billing records, and other chart components. This is time-consuming and potentially costly.

Where risk enters the picture is a situation that requires the provider to exercise discretion in determining which records to produce. Take, for instance, a subpoena to a medical group for all of a patient's records that relate to a plaintiff's care for diabetes. In some situations, it will be unclear whether some visits or treatments were related to the condition in issue. This gives the provider a Hobson's choice: Disclosing too much information is a HIPAA violation, potentially resulting in suit for violating the patient's privacy; disclosing too little is a failure to respond properly to the subpoena.

The best course in this situation will be to obtain advice from a capable lawyer.

T. Emmet Thornton, a partner in the Los Angeles office of Sedgwick, Detert, Moran, and Arnold, has defended numerous health care providers and insurers in professional liability, bad faith, ERISA, and other health care litigation. He writes the legal newsletter "Communiqué."

Managed Care’s Top Ten Articles of 2016

There’s a lot more going on in health care than mergers (Aetna-Humana, Anthem-Cigna) creating huge players. Hundreds of insurers operate in 50 different states. Self-insured employers, ACA public exchanges, Medicare Advantage, and Medicaid managed care plans crowd an increasingly complex market.

Major health care players are determined to make health information exchanges (HIEs) work. The push toward value-based payment alone almost guarantees that HIEs will be tweaked, poked, prodded, and overhauled until they deliver on their promise. The goal: straight talk from and among tech systems.

They bring a different mindset. They’re willing to work in teams and focus on the sort of evidence-based medicine that can guide health care’s transformation into a system based on value. One question: How well will this new generation of data-driven MDs deal with patients?

The surge of new MS treatments have been for the relapsing-remitting form of the disease. There’s hope for sufferers of a different form of MS. By homing in on CD20-positive B cells, ocrelizumab is able to knock them out and other aberrant B cells circulating in the bloodstream.

A flood of tests have insurers ramping up prior authorization and utilization review. Information overload is a problem. As doctors struggle to keep up, health plans need to get ahead of the development of the technology in order to successfully manage genetic testing appropriately.

Having the data is one thing. Knowing how to use it is another. Applying its computational power to the data, a company called RowdMap puts providers into high-, medium-, and low-value buckets compared with peers in their markets, using specific benchmarks to show why outliers differ from the norm.
Competition among manufacturers, industry consolidation, and capitalization on me-too drugs are cranking up generic and branded drug prices. This increase has compelled PBMs, health plan sponsors, and retail pharmacies to find novel ways to turn a profit, often at the expense of the consumer.
The development of recombinant DNA and other technologies has added a new dimension to care. These medications have revolutionized the treatment of rheumatoid arthritis and many of the other 80 or so autoimmune diseases. But they can be budget busters and have a tricky side effect profile.

Shelley Slade
Vogel, Slade & Goldstein

Hub programs have emerged as a profitable new line of business in the sales and distribution side of the pharmaceutical industry that has got more than its fair share of wheeling and dealing. But they spell trouble if they spark collusion, threaten patients, or waste federal dollars.

More companies are self-insuring—and it’s not just large employers that are striking out on their own. The percentage of employers who fully self-insure increased by 44% in 1999 to 63% in 2015. Self-insurance may give employers more control over benefit packages, and stop-loss protects them against uncapped liability.