Imagine that you are a hospital administrator. Law enforcement shows up at the hospital with a grand jury subpoena or a request of some kind for information. Can you comply?
In many jurisdictions, if protected medical information is sought, when faced with a grand jury subpoena, the answer is no, despite penalties that may arise from disregarding a subpoena. When the Cleveland Clinic Foundation was faced with such a request, it ended up being subject to a state law privacy suit that a federal court refused to dismiss, despite the Clinic’s compliance with the federal Health Insurance Portability and Accountability Act (“HIPAA”). This result can arise whether the request is for protected health information in written records, or whether the request is to interview hospital employees who have gained protected information by virtue of their treatment. This counterintuitive result arises from the unexpected lack of preemption by HIPAA in a few key areas. Conversely, if no protected health information is sought, then requests for information are unlikely to raise the same privacy concerns.
Hospitals and medical providers can find themselves caught between competing statutes when faced with a request from law enforcement for patient medical information. Hospitals need to comply with lawful requests for information, yet also need to honor their legal duty to protect patient privacy. Whether the information request is lawful depends not only on the form in which it is requested (e.g., by subpoena or with patient authorization) but also upon the location of the provider, the governing federal and state statutes, common law, and the court involved. While most providers are familiar with the requirements embodied in HIPAA, it is important to note that state privacy statutes have been deemed more stringent than HIPAA on occasion and may allow for fewer disclosures than are recognized under federal law.
Congress enacted HIPAA in 1996. As part of its implementation, the Department of Health and Human Services enacted a regulation known as the “Privacy Rule” in 2000. See 65 Fed.Reg. 82,462 (Dec. 28, 2000) http://www.gpo.gov/fdsys/pkg/FR-2000-12-28/html/00-32678.htm(accessed Jan. 3, 2003). The Privacy Rule encompasses protected health information (PHI) obtained by medical providers and creates some rights. In some narrow circumstances, the rule allows covered entities such as hospitals to disclose PHI without a written patient authorization.
The circumstances allowing disclosure under HIPAA without a written patient authorization are defined by the exact regulations; there are limitations on what may be requested and disclosed. Generally, HIPAA allows disclosures for:
- Compliance with a court order, court-ordered warrant, subpoena or summons issued by a judicial officer, or grand jury subpoena.
- Responding to an administrative request (accompanied by the necessary statement).
- Responding to a request for PHI to locate or identify a suspect, fugitive, material witness or missing person; or about a suspected perpetrator of a crime when the victim is a member of the covered entity’s workforce and makes the report; or to identify or apprehend an individual who has admitted participation in a violent crime.
- Responding to a request for PHI about a victim of a crime, and the victim agrees. Where child-abuse victims or adult victims of abuse, neglect or domestic violence are concerned, other provisions of the rule apply and state law may require reporting.
- Reporting PHI to law enforcement when required by state law. For example, state laws commonly require health care providers to report gunshots or stab wounds.
- Alerting law enforcement to the suspicious death of an individual thought to be from criminal conduct; reporting PHI in good faith believed to be evidence of a crime occurring on the premises; or alerting alert law enforcement about criminal activity when responding to an off-site medical emergency.
- In some instances, where reporting is warranted to a law enforcement official reasonably able to prevent or lessen a serious and imminent threat to the health or safety of an individual or the public, to identify or apprehend an individual who appears to have escaped from lawful custody.
- For certain other specialized governmental law enforcement purposes, such as to federal officials authorized to conduct intelligence, counter-intelligence, and other national security activities under the National Security Act; or responding to a request for PHI by a correctional institution or a law enforcement official, in some situations.
http://www.hhs.gov/ocr/privacy/hipaa/faq/disclosures_for_law_enforcement_purposes/505.html(last accessed Jan. 3, 2003). HIPAA explicitly provides that if a state law provision is more stringent, it is not preempted. 45 C.F.R. §160.203(b). This can create confusion, because one would expect the federal statute to trump contravening state statutes, but HIPAA explicitly does not do so.
Generally, courts have found that HIPAA creates no “private right of action” to sue for a violation of the Privacy Rule. Rather, HIPAA allows the filing of a complaint with the Department of Health and Human Services, which may then decide to investigate the claimed privacy violation. 45 C.F.R. §160.306. Nonetheless, depending where the provider is located, various state statutory or common law causes of action may (or may not) exist from a claimed privacy violation, sounding in tort or contract. Thus, even if a hospital or other covered entity complies with HIPAA, the release of health information can still lead to legal action against the entity for violation of state privacy requirements. For example, in Turk v. Oiler et al., 732 F.Supp.2d 758 (N.D.Ohio, 2010), the Cleveland Clinic Foundation was sued by a patient whose records it agreed to turn over in response to a grand jury subpoena in a criminal investigation. Although the hospital satisfied its obligations under HIPAA, which authorizes the release medical records to law enforcement in response to a grand jury subpoena, the court found that Ohio’s physician-patient privilege was not preempted by HIPAA. Rather, Ohio’s privilege statute lacked any exception permitting disclosure of otherwise privileged medical information simply because the information is sought by grand jury subpoena. The court found it significant that the patient was not given notice of the subpoena and therefore did not have the opportunity to seek to quash the subpoena. The court also noted that law enforcement officials had other mechanisms to research the information they sought (e.g. whether the patient was under any disability). On this basis, the court refused to grant judgment as a matter of law on the invasion of privacy claim.
Although different from the Ohio law discussed in Turk v. Oiler, 732 F.Supp.2d 758 (N.D.Ohio, 2010), Indiana law likewise has specific subpoena requirements, apart from those embodied in HIPAA, allowing disclosure of patient medical records when the subpoena is accompanied by a Trial Rule 34 request, a written authorization, or a court order:
Records requested by subpoena -- Photostatic copy. When a: (1) subpoena coupled with a request under Rule 34 of the Indiana Rules of Trial Procedure; (2) subpoena coupled with a patient's written authorization under IC 34-6-2-15(2) (or IC 34-3-15.5-4 before its repeal); or (3) court order; requiring the production of a hospital medical record is served upon any hospital employee, the hospital employee with custody of the original hospital medical record may elect,instead of personally appearing and producing the original hospital medical record, to furnish the requesting party or the party's attorney with a photostatic copy of the hospital medical record, certified in accordance with section 7 [IC 34-43-1-7] of this chapter.
Ind. Code § 34-43-1-5. Similarly, the Seventh Circuit Court of Appeals has explained that “under Illinois law, even redacted medical records are not to be disclosed in judicial proceedings, with immaterial exceptions ... Illinois law … sets a ‘more stringent’ standard for disclosure than the HIPAA regulation …” Northwestern Memorial Hospital vs. Ashcroft, 362 F.3d 923 (7th Cir. 2004).
Complicating the situation is the fact that the pertinent law will also depend upon the nature of the litigation and the court faced with deciding the privacy question. In Northwestern Memorial Hospital vs. Ashcroft, supra, the Seventh Circuit decided an appeal from a district court order quashing a subpoena commanding the hospital to produce patient records that were sought in a lawsuit in New York, challenging the constitutionality of the Partial Birth Abortion Ban Act of 2003. The records were requested pursuant to an order by the district court judge in New York authorizing the hospital to produce the records after redacting patient identifying information. The Seventh Circuit found that Illinois law exceeds HIPAA in its protections, setting a more stringent standard for disclosure. While the district court applied Illinois law to quash the subpoena, the Seventh Circuit instead decided the issue based upon Federal Rule of Civil Procedure 45. In applying Fed. R. Civ. P. 45, Illinois law was merely persuasive. The court noted that state privileges are afforded comity in federal courts where possible and where they do not infringe on federal substantive and procedural policy. Thus, because HIPAA does not adopt state privilege law in federal question cases, the decision of how to respond to a subpoena in such cases will be governed by Fed. R. Civ. P. 45(c) and Federal Rule of Evidence 501. In other words, the court deciding the privacy issue will affect which law applies.
When faced with a request from law enforcement, whether to interview witnesses or for written medical records, hospitals and covered entities must exercise caution in releasing protected health information without a proper release. While HIPAA contains exceptions allowing the release of such information to law enforcement, including in response to a subpoena, state law can require more of the entity than does HIPAA, and contain different exceptions than the federal law.