[Med-privacy] HIPAA Protection of Medical Records Involved in a Malpractice Case
pmarshall
pwm@comcast.net
Thu, 16 Oct 2003 11:25:58 +0000
This is a multi-part message in MIME format.
--------------050305010601050703040205
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
</head>
<body>
<!-- Thin Header 100%width --><!-- HEADER -->
<table width=3D"100%" cellpadding=3D"0" cellspacing=3D"0" border=3D"0">
<tbody>
<tr valign=3D"top">
<td width=3D"1%"><br>
</td>
<td width=3D"98%" bgcolor=3D"#557799"><img
src=3D"cid:part1.03090703.02040006@comcast.net" alt=3D"" width=3D"100"
height=3D"24"></td>
<td width=3D"1%" align=3D"right" nowrap=3D"nowrap"><a
href=3D"http://www.medscape.com"><img
src=3D"cid:part2.07040004.05030905@comcast.net" alt=3D"www.medscape.com"=
width=3D"114" height=3D"24" border=3D"0"></a></td>
</tr>
</tbody>
</table>
<!-- HEADER --><!-- /Thin Header 100%width -->
<div><img src=3D"cid:part1.03090703.02040006@comcast.net" alt=3D"" width=3D=
"1"
height=3D"25"></div>
<table width=3D"100%">
<tbody>
<tr valign=3D"top">
<td>
<div class=3D"title">HIPAA Protection of Medical Records Involved
in a Malpractice Case</div>
<br>
=09
<div class=3D"text10">Medscape Money & Medicine 4(2), 2003. =C2=
=A9
2003 Medscape</div>
=09
<div class=3D"text12">Posted 10/07/2003</div>
<br>
=09
<h3>Question</h3>
=09
<div class=3D"text12"> How does HIPAA compliance affect a law
firm that obtains medical records in a malpractice case once they are
received from a covered entity? =09
<p> </p>
</div>
=09
<h3>Response</h3>
=09
<div class=3D"text12"> <b>from Melinda Hatton, JD, 10/07/2003</b=
><br>
=09
<div class=3D"text12">
<p>A law firm is not considered a covered entity under the HIPAA
medical privacy rule. The standards, requirements, and implementation
specifications adopted under the rule, therefore, do not directly apply
to the law firm. (See definition of covered entity in section 160.103 of
the rule and the rule applicability statement in section 160.102.)</p>
<p>Under the privacy rule, however, when a provider discloses a
medical record to the law firm that is representing the provider in a
malpractice case, the law firm would be acting as a <i>business
associate</i> of that provider. (See section 160.103 for the definition
of business associate.) Before the disclosure can be made, the provider
and the law firm must enter into a written business associate agreement
or arrangement. (See section 164.502(e)(1) and (2) for general
standards for disclosure to a business associate and requirements for
written agreements or arrangements.)</p>
<p>The business associate agreement defines how the law firm may
use the medical record it receives from the provider. (See section
164.504(e)(2) for implementation specifications related to business
associate contracts.) Under the rule, the business associate agreement
must establish the required and permitted uses and disclosures of any
protected health information (PHI) received by the business associate.
The agreement cannot authorize the business associate to use or further
disclose information in any way that would violate the requirements of
the privacy rule if done by the provider.</p>
<p>The business associate, however, may be permitted under the
agreement to use or disclose the information for the <i>"proper
management and administration"</i> or <i>"to carry out the legal
responsibilities"</i> of the business associate. (See section
164.504(e)(4)(i).) This additional use or disclosure by the business
associate is permitted if: (1) the disclosure is required by law or (2)
the business associate receives reasonable assurances from the
recipient of the information that the recipient will keep the
information confidential and provide notice to the business associate
of any breaches of confidentiality it becomes aware of. (See section
164.504(e)(4)(ii).)</p>
<p>However, the HIPAA restrictions on use and disclosure of PHI
do not apply to a law firm acting on behalf of a patient who receives
the patient's record because the patient has signed a valid
authorization form. In fact, under the HIPAA requirements, a valid
authorization form must specifically indicate that there is a risk that
the information disclosed pursuant to the authorization may be
re-disclosed by the recipient and no longer protected by the HIPAA
medical privacy rule. (See section 164.508(c)(2)(iii) of the rule).
Other laws, regulations, and standards of professional conduct relating
to client confidentiality, however, would protect the privacy of the
information the law firm receives in this instance.</p>
</div>
<p> </p>
</div>
<h3>Suggested Readings</h3>
<div class=3D"text12">
<p>Department of Health and Human Services, Office of Civil
Rights, Medical Privacy -- National Standards To Protect the Privacy of
Personal Health Information. Available at: <a
href=3D"http://www.hhs.gov/ocr/hipaa/" target=3D"_blank">http://www.hhs.=
gov/ocr/hipaa/</a>
Accessed October 1, 2003.</p>
</div>
<br>
<img src=3D"cid:part4.06080505.05030408@comcast.net" height=3D"15"
width=3D"1" alt=3D""><br>
=09
<div class=3D"text12"><b>Melinda Hatton, JD</b>, Chief Washington
Counsel, American Hospital Association, Washington, DC</div>
<!-- /Main Table -->
<hr noshade=3D"noshade" size=3D"1"> </td>
</tr>
</tbody>
</table>
</body>
</html>
--------------050305010601050703040205
Content-Type: image/gif;
name="spacer.gif"
Content-Transfer-Encoding: base64
Content-ID: <part1.03090703.02040006@comcast.net>
Content-Disposition: inline;
filename="spacer.gif"
R0lGODlhAQABAIAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==
--------------050305010601050703040205
Content-Type: image/gif;
name="txt-wwwmedscapecom2.gif"
Content-Transfer-Encoding: base64
Content-ID: <part2.07040004.05030905@comcast.net>
Content-Disposition: inline;
filename="txt-wwwmedscapecom2.gif"
R0lGODlhcgAYAJEAAFV3mf///6q7zICZsyH5BAAAAAAALAAAAAByABgAQAK7hI+py+0Po0xD
hDCzPnj7D4ai043miaYjxgJl2xqwm3S2fN00zim5DHT9EKVdTKdKKpfMpvMheEqnvSDt1cNa
hVydN/g1gsdE4O3ShWirO3aRHI7D5+Ly1Uym6tv7vv8PGHhgIVi4MWCYqDjxtljj1oa1VsRS
yUGJxnNJ9JKpWdNpZkmSF1b3Jne6xWeXyiZmyjAjeYcXUxVbh/uoyvp6ltewZoUK2ct1GbqZ
jIPpppzruCJNXW19jf1XAAA7
--------------050305010601050703040205
Content-Type: image/gif;
name="spacer.gif"
Content-Transfer-Encoding: base64
Content-ID: <part4.06080505.05030408@comcast.net>
Content-Disposition: inline;
filename="spacer.gif"
R0lGODlhAQABAIAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==
--------------050305010601050703040205--