General counsel may have access to all kinds of information during the discovery phase of litigation. But with the added wrinkle of electronic discovery, lawyers must tread lightly and carefully with this information, especially when dealing with personal health information.
The Health Insurance Portability and Accountability Act (HIPAA) established strict standards for healthcare providers, health plans and other covered entities to maintain the security and privacy of patients’ protected health information (PHI). Additionally, under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, these rules also now apply to business associates of covered entities, as defined and explained in a previous article.
More and more, e-discovery in civil litigation applies to covered entities that store patient information in electronic health records (EHRs). EHRs are considered to be electronically stored information (ESI) for discovery requests, and counsel involved in litigation with a covered entity must consider the resulting issues related to HITECH and HIPAA.
E-discovery, HITECH and HIPAA
When representing a covered entity, counsel must first determine whether that entity is a business associate, which is highly likely in litigation involving health plans, health care providers or health care clearinghouses. Accordingly, counsel must ensure there is a Business Associate Agreement (BAA) with the covered entity in order to ensure that both parties comply with the HITECH Act’s privacy and security requirements. Any additional entities that will be receiving PHI must also enter into a BAA. This is particularly necessary when third-party providers are enlisted to collect and transmit PHI for e-discovery requests.
Counsel should also consider whether opposing counsel should enter into a BAA with a covered entity. This is not likely unless the covered entity wishes to disclose the information to the opposing attorneys. At the same time, such disclosure would likely be required of the covered entity pursuant to a discovery request.
Discovery requests—especially those involving e-discovery and PHI—can become very complicated. For example, under HIPAA, the disclosure of PHI must meet the minimum requirements necessary to accomplish the intended purpose of the use, disclosure or request. As such, counsel for the covered entity may need to redact or de-identify certain PHI or seek a protective order before disclosing PHI to opposing counsel, especially if counsel requests all information related to a matter. The rise of e-discovery has only made redacting or de-identifying information that much more complex.
To address these discovery requests, counsel should attempt to come to an agreement with opposing counsel to narrow the scope of what is deemed relevant information in order to avoid disclosure of PHI. However, in circumstances where pertinent evidence contains PHI, it is important to note that disclosure is not automatically permitted just because a discovery request has been made. Specifically, under HIPAA, disclosure of PHI is available only if the request is court-ordered or made in response to a subpoena, discovery request or other lawful process—as long as opposing counsel gives to the covered entity that they have notified the individual or have obtained a protective order. Furthermore, certain states have different standards for disclosure of health information as part of a discovery request, some even more stringent than HIPAA. Considering these hurdles, if a covered entity must disclose PHI as part of the discovery process, the parties should try to come to agreement on a method of disclosure that avoids HIPAA issues (e.g., de-identifying the records), or both parties should be prepared to incur substantial discovery costs.
In addition to the procedural hurdles surrounding disclosure of PHI, e-discovery creates other issues to consider. One such issue is the handling of PHI by business associates as part of e-discovery, particularly by third-party providers engaged to develop and maintain e-discovery databases. Under the HITECH Act, business associates must adhere to the same privacy and security standards as covered entities, and compliance may be even more difficult in the case of digital PHI.
If a business associate fails to maintain such standards, they may be subject to substantial fines and reputation damage from required disclosure of security breaches. Counsel should be aware that the Office for Civil Rights of the Department of Health and Human Services (OCR), the official governmental hub for all HIPAA-related issues, is undertaking a pilot program to audit the compliance of covered entities and business associates with HIPAA standards for privacy and security. Any covered entity, business associate or third-party provider is subject to such an audit.
While counsel may not consider themselves subject to healthcare regulations when representing or opposing a covered entity, they should always take into account whether they will come into contact with PHI, especially given the increasing complexities associated with e-discovery. If attorneys do handle PHI, they must be aware of the state and federal legal ramifications of being exposed to this information. Failure to do so could lead to significant fines and damaged reputations stemming from the improper handling of PHI.