When Can PHI Disclosures be Made for Judicial and Administrative Proceedings?

Modified on Wed, 20 Dec, 2023 at 12:19 PM

DISCLAIMER: The information provided in this article, other knowledge base articles, and the Compliancy Group website do not, and are not intended to, constitute legal advice. All information, content, and materials in the Knowledge Base and on the Compliancy Group website are for general informational purposes only.


Covered entities are frequently asked in the course of judicial and administrative proceedings to provide medical records that contain PHI. A judicial proceeding is a court proceeding, presided over by a judge. An administrative proceeding is held by an administrative agency (sometimes called an administrative tribunal). An example of an administrative agency is a federal Cabinet agency, such as the Department of Labor. Administrative proceedings are presided over by an agency hearing officer, who sometimes has the title of "judge." Whether and to what degree such PHI may be disclosed in judicial and administrative proceedings depends upon several factors.

Can PHI Be Disclosed In Response to a Court Order?
A covered entity may disclose PHI in the course of a judicial or administrative proceeding under two conditions.

Condition #1: In response to an order of a court or administrative tribunal, provided that the CE or BA discloses only the PHI expressly authorized by the order.

Condition #2: In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if:


  1. The CE or BA receives satisfactory assurances (the concept of “satisfactory assurances” will be discussed below), from the party seeking the information, that reasonable efforts have been made by such party to ensure that the individual who is the subject of the protected health information that has been requested (e.g., the patient) has been given notice of the request; or

  2. The CE or BA receives satisfactory assurances (the concept of “satisfactory assurances” will be discussed below), from the party seeking the information, that reasonable efforts have been made by that party to secure a qualified protective order (the concept of “qualified protective order” is described below) that meets HIPAA requirements. 


With respect to “A,” above, a CE or BA receives satisfactory assurances from a party seeking protected health information, if the CE or BA receives from that party a written statement and accompanying documentation demonstrating that:

A.  The party requesting such information has made a good faith attempt to provide written notice to the individual (or, if the individual's location is unknown, to mail a notice to the individual's last known address);

B.  The notice included sufficient information about the litigation or proceeding in which the protected health information is requested to permit the individual to raise an objection to the court or administrative tribunal; and

C.  The time for the individual to raise objections to the court or administrative tribunal has elapsed, and:

  1.       No objections were filed; or
  2.       All objections filed by the individual have been resolved by the court or administrative tribunal and the disclosures being sought are consistent with that resolution.

With respect to “B,” above, a CE or BA receives satisfactory assurances from a party seeking PHI, if the CE or BA receives from that party a written statement and accompanying documentation demonstrating that:

  1. The parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court or administrative tribunal with jurisdiction over the dispute; or

  2. The party seeking the protected health information has requested a qualified protective order from such a court or administrative tribunal.


To summarize, a covered entity that is not a party to litigation must obtain or receive the required satisfactory assurances. Where the satisfactory assurances are in the form of notice to the individual, a written statement and accompanying documentation of notice to the individual’s lawyer is considered to be notice to the individual.


What is a Qualified Protective Order?

A qualified protective order is an order of a court or an administrative tribunal, or a stipulation (agreement) by the parties to the litigation or administrative proceeding that:

  1. Prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested; and

  2. Requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding.

Can a Practice Use PHI for Litigation Purposes?

Where a covered entity is a party (e.g.  Plaintiff or Defendant) to a legal proceeding, the covered entity may use or disclose protected health information for purposes of the litigation as part of its healthcare operations.

“Healthcare operations” includes a covered entity’s activities of conducting or arranging for legal services to the extent such activities are related to the covered entity’s covered functions (i.e., those functions that make the entity a health plan, healthcare provider, or health care clearinghouse), including legal services related to an entity’s treatment or payment functions.

Example: A covered entity that is a defendant in a malpractice action or a plaintiff in a suit to obtain payment may use or disclose protected health information for such litigation as part of its healthcare operations. The covered entity, however, must make reasonable efforts to limit such uses and disclosures to the minimum necessary to accomplish the intended purpose.

In contrast, where the covered entity is not a party to the proceeding, the covered entity may disclose protected health information for the litigation in response to a court order, subpoena, discovery request, or other lawful process, provided the applicable requirements of 45 CFR 164.512(e) for disclosures for judicial and administrative proceedings are met (that is, when the satisfactory assurances requirements and protective order requirements are met). 

When Must a Covered Entity Account for PHI Disclosures Made During the Course of Litigation?
Under the HIPAA Privacy Rule, individuals have a right to receive, upon request, an accounting of disclosures of protected health information made by a covered entity (or its business associate), with certain exceptions. 

These exceptions, or instances where a covered entity is not required to account for disclosures, include (among others):

    1.     Disclosures for treatment, payment, or health care operations; and 

    2.     Disclosures authorized by the individual.


Disclosures that are subject to the "Accounting of Disclosures" requirement include disclosures made by a covered entity that is not a party to the litigation or proceeding and that are made:

    1.     As required by law (under 45 CFR 164.512(a) and 45 CFR 164.512 (e)(1)(i));

    2.     For a proceeding before a health oversight agency; or
    3.     In response to a subpoena, discovery request, or other lawful process.





 

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article