Protection of Sensitive Health Records in a Personal Injury Case

How can you protect sensitive health records? The Health Insurance Portability and Accountability Act (HIPAA) protects the privacy of your sensitive health records.

This protection comes into play in most every personal injury case. It is particularly important in cases involving significant levels of medical records and medical discovery. These would include medical malpractice cases and cases involving very serious injury with significant and ongoing medical treatment.

Keep in mind that these records will generally have to be turned over the other side at some point for a number of reasons, most important of which is to establish damages. However, there are HIPAA protections as to how and when these documents are turned over.

What is HIPAA?

It‘s an act that Congress passed in 1996, and according to the Department of Health and Human Services (HHS), it does the following:

  • It provides the ability for American workers to transfer and continue healthcare coverage when they change or lose their jobs
  • It reduces incidents of healthcare fraud and abuse
  • It mandates industry-wide standards for healthcare info related to electronic billing and other processes
  • It requires the protection and confidential handling of protected health info

For purposes of healthcare privacy, the requirement related to the protection and handling of health information is the most significant. Under this requirement, healthcare providers must “develop and follow procedures that ensure the confidentiality and security of protected health information” any time that it‘s transferred, received, handled, or shared. This includes any form of protected health information, whether it‘s paper, oral, or electronic. In addition, HIPAA requires that only a minimum of health information “necessary to conduct business” can be used or shared.

How Exactly Does HIPAA Protect Our Privacy?

As healthcare professionals rely more and more on electronic health records, it seems that there are greater threats to the privacy of our sensitive health records. In order to ensure privacy, there‘s a HIPAA Privacy Rule that healthcare professionals must abide by.

First, it‘s important to know who is covered by the Privacy Rule. HHS explains that the Privacy Rule applies to health plans, healthcare clearinghouses, and “to any healthcare provider who transmits health information in electronic form” in connection with certain transactions.

  • Health Plans: these include health, medical, dental, vision, prescription drug insurers, health maintenance organizations (HMOs), Medicare, Medicaid, and long-term care insurers. The health plans described here are covered by HIPAA‘s Privacy Rule.
  • Health Care Providers: regardless of the size of the healthcare organization, every health care provider is a “covered entity.” In other words, every health care provider must abide by HIPAA privacy standards.
  • Health Care Clearinghouses: these are “entities that process nonstandard information they receive from another entity into a standard (meaning a standard format or data content). They include billing services, re-pricing companies, and community health management information systems. These entities typically only receive patient information when they‘re providing these processing services to healthcare providers. Only “Certain provisions of the Privacy Rule” are applicable to the information that‘s processed by these clearinghouses.

Court Orders and Subpoenas: HIPAA Privacy May Not Always Apply

While the Privacy Rule protects your health records in most circumstances, a court order can require a healthcare provider to disclose your protected health information, according to an HHS.

A subpoena is different from a court order, and it can only require disclosure of private health information if certain steps are taken. According to the Privacy Rule, a healthcare provider can only disclose protected health information to a party that issues a subpoena if it meets the notification requirements of the Privacy Rule. These include:

  • Notifying the person who is the subject of the information so that the person can object to the disclosure, or
  • Seeking a qualified protective order for the information

What is a HIPAA Qualified Protective Order? Under 45 C.F.R. § 164.512(e) of the HIPAA Privacy Regulations, this document can help protect you when someone is trying to subpoena your sensitive health records. The Qualified Protective Order can do two things:

  • Prohibit a person or entity from using or disclosing protected health information for any purpose other than the litigation (or other proceeding) for which it was requested, and
  • Require a person or entity to return the health information to the covered entity (typically, the healthcare provider) or to destroy it (including all copies made) at the end of the court proceeding.

If you are involved in personal injury case, it is important to understand your rights to privacy. These rights will be balanced against the rules of discovery. After all, to prove you are hurt and the seriousness of those injuries will require medical documentation. Without it, it will be difficult, if not impossible, to prevail in your case.


Related Readings:
Medical Privacy in a Personal Injury Case
Discovery in a Personal Injury Lawsuit: Often Difficult and Expensive but Always Necessary!
Disclosing Pre-Existing Conditions and Injuries in a Personal Injury Case

Share your thoughts