RBGG’s Poppy Alexander published an article in Law360 on August 14, 2015, “No Defendants, You Can’t Use HIPPA to Deny Discovery.” (Link subject to paywall but full text of the article is set out below.)

According to the introduction to the article on Law360, “Despite the Seventh Circuit’s widely accepted interpretation of the Health Information Portability and Accountability Act’s privacy limitations, some defendants in large institutional class actions will claim HIPAA creates a federal privacy right in each patients’ medical information, which some then attempt to use as an argument to shield discovery. That, simply put, is a misunderstanding of the law, says Sarah Poppy Alexander.”

“No Defendants, You Can’t Use HIPPA to Deny Discovery”:  Practical Advice to Avoid Discovery Battles Over Medical Records

By Sarah Poppy Alexander, Rosen, Bien, Galvan & Grunfeld LLP

The Health Information Portability and Accountability Act (HIPAA) accomplishes two things: It provides important protections for the privacy of patients’ sensitive medical information while simultaneously providing the means for legitimately obtaining that information. HIPAA was never intended to bar the legitimate discovery of relevant medical records in litigation. Yet a number of defendants use HIPAA to block discovery of patient medical records in institutional class action cases. Some defendants may do so out of confusion about what their obligations under HIPAA actually entail; others may do it deliberately to thwart the flow of information. Regardless of defendants’ intent, plaintiffs’ counsel need to familiarize themselves with the content of the HIPAA regulations to avoid unnecessary and costly discovery delays in large institutional class action cases. Counsel should be prepared to address HIPAA issues early in the litigation process for all cases where medical records may be relevant. Doing so will help ensure the free flow of necessary information and sidestep unnecessary discovery fights.

HIPAA Provides Guidelines for Obtaining Medical Information

HIPAA provides both protection for patients’ medical information and guidelines for how and why this information may be shared. HIPAA includes a number of provisions protecting the privacy of medical information stored by so-called “covered entities.”  It also provides that this information may be disclosed pursuant to a signed records release or in limited circumstances outlined in federal regulations.

“Covered entities” often overlook the second half of what HIPAA does, choosing to see it only as protective of information and not as a guideline for information flow. This may stem from a legitimate concern about the stiff penalties covered entities can incur for violating HIPAA, or it may stem from a general reluctance to share information.

For most lawyers, the most important HIPAA guideline for the flow of information is 45 C.F.R. § 164.512(e): “Disclosures for judicial and administrative proceedings.” This subsection permits the disclosure of protected health information in three litigation-specific circumstances: (1) in response to a court order; (2) in response to a subpoena or discovery request if the requesting party provides “satisfactory assurance” that “reasonable efforts” to provide notice to the individual have occurred or (3) in response to a subpoena or discovery request if the requesting party provides “satisfactory assurance” that “reasonable efforts” to obtain a “qualified protective order” have occurred.

Generally, obtaining a qualified protective order will be the most expeditious means of obtaining protected health information. Fortunately, the regulations specify exactly what needs to be in a qualified protective order in 45 C.F.R. § 164.512(e)(v): It must “[p]rohibit[] the parties from using or disclosing the protected health information for any purpose other than the litigation or proceeding for which such information was requested” and “[r]equire[] the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding.”

Practically speaking, in any litigation where medical records may be requested in discovery, counsel should ensure that a protective order with these two clauses is in place before issuing any discovery request. It may also be helpful to include a clause within the order that “this protective order is a qualified protective order pursuant to 45 C.F.R. § 164.512(e)(v).”

Covered entities may not be familiar with the idea of the qualified protective order. They are more likely to be comfortable requiring the written authorization of a patient before permitting the release of medical information. Defendants may go so far as to claim that this is the only method for releasing the records at issue. Obtaining written authorization may, in fact, be the quickest and best solution in a case where the medical care provided to only one or two individuals is at issue, such as a typical medical malpractice case. But in larger class action cases, obtaining authorizations for every individual will be impractical and expensive at best and most likely impossible. In those cases, the qualified protective order will be far more effective and expeditious.

The Interaction Between HIPAA and the Federal Right to Medical Privacy

HIPAA does not create any new federal privacy rights. The Seventh Circuit held as much in Northwestern Memorial Hospital v. Ashcroft, 362 F.3d 923 (7th Cir. 2004), which is widely accepted as the correct interpretation of HIPAA’s limitations. Despite this, some defendants will claim that HIPAA creates a federal privacy right in each patients’ medical information. Defendants will then attempt to use this argument to shield discovery. That simply is a misunderstanding of the law. HIPAA cannot be used to limit legitimate discovery on the basis of privacy.

Even though HIPAA does not create new federal privacy rights, there is a general federal right to privacy in one’s medical information. This federal common law right is not absolute and will be balanced by a court against a party’s demonstrated compelling need for obtaining the information. See, e.g., Hutton v. City of Martinez, 219 F.R.D. 164, 166 (N.D. Cal. 2003). The HIPAA regulations do not address this federal right to privacy at all and fail to specify precisely what a HIPAA-compliant protective order authorizes. Practically, this means that before authorizing discovery of medical records, a court may need to balance plaintiffs’ need for all of the information contained in the records. The two most important unresolved areas for most institutional class action suits will be whether redactions are mandated, allowed, or prohibited, and whether class certification shifts the federal privacy balance in favor of the plaintiffs.

Redactions

Nothing in the HIPAA regulations states whether a medical record may be redacted to eliminate identifying information before production pursuant to a HIPAA-compliant protective order. Defendants may again use this issue to try to slow down discovery by claiming that the process of redacting identifying information is required, but is too burdensome and costly.

Depending on the case, redactions may not matter for proving the substance of a claim. Defendants’ need or desire to redact certain information means that there will be an argument about the burdensome and expensive nature of providing the redacted records plaintiffs seek. For this reason alone, it may be better to fight for unredacted medical records regardless of whether the patient’s information is relevant to a specific case. Unfortunately there is no good guidance in the case law about whether parties in pre-certification institutional class litigation have a right to unredacted medical information if said information is produced pursuant to a qualified protective order. The judge will ultimately weigh the need for unredacted information against the federal right of privacy—HIPAA will have nothing to do with it. Different judges have taken very different approaches to this balancing test. In at least a few cases, courts have allowed the production of unredacted medical information prior to class certification. See Gray v. Cnty. of Riverside, No. 13-00444, 2014 WL 5304915, at *15 n.6 (C.D. Cal. Sept. 2, 2014); Kallas v. Carnival Corp., No. 06-20115, 2007 WL 2819385, at *2 (S.D. Fla. Sept. 25, 2007). Other courts have presumed that only redacted information is available pre-certification. However, in many of these cases, the plaintiff did not seek unredacted information, meaning that the judge did not directly consider the redaction question. See, e.g., Allen v. Woodford, No. 05-1104, 2007 WL 309485, at *11-12 (E.D. Cal. Jan. 30, 2007).

Class Certification

Another unresolved question about the scope of a qualified protective order is whether class certification is an important marker in the balancing of federal privacy rights. Nothing in the HIPAA regulations speak to this. Yet courts have consistently presumed that post-class certification, the plaintiffs have a greater interest in the medical data, shifting the weight of the balance towards disclosure. See Romano v. SLS Residential Inc., 298 F.R.D. 103, 114-15 (S.D.N.Y. 2014); Ginest v. Bd. of Cnty. Comm’rs of Carbon Cnty., 306 F. Supp. 2d 1158, 1159-60 (D. Wyo. 2004). Thus, even if a court is unconvinced that plaintiffs’ need for unredacted information pre-certification is sufficient to overcome any privacy interests defendants may assert, plaintiffs should be prepared to argue that once individual class members are officially plaintiffs, it is plaintiffs’ counsel’s job—not defendants’—to protect their privacy interests.

What Privacy Rights Are Not in Play: State Privacy Laws

As just discussed, federal privacy rights do interact with HIPAA to define the scope of medical record discovery in federal cases. State privacy laws, on the other hand, are not relevant. Despite this, a favorite blocking tactic of some defendants is to claim that state medical privacy rules prevent the production of patient medical records. State privacy laws are generally more protective than the federal rules; however, they are not applicable to injunctive relief cases arising under federal law. See Delaney v. Tilton, No. 07-1219, 2008 WL 4298179, at *3 (E.D. Cal. Sept. 18, 2008). Whether defendants assert these state rights out of ignorance or to stymie discovery, such assertions should be immediately counteracted through the meet-and-confer process.

Three Steps to Obtaining Needed Discovery under HIPAA

Based on the above considerations, a recommended strategy for heading off unnecessary discovery fights would be as follows:

Get the judge on your side early.

In cases where you know that you will need medical records and that obtaining signed releases will be impracticable or impossible, alert the court to this issue early on. It may make sense, for example, to raise this issue in your initial case management statement. Make sure the judge understands the legal issues and your right to this discovery. If defendants are amenable, get their stipulation to your right to this information at the initial conference.

Draft a HIPAA compliant protective order.

Using the language in 45 C.F.R. § 164.512(e)(v) as your guide, draft a protective order in your case before any discovery has been served. Confirm it is explicitly understood by all parties that the protective order complies with HIPAA and applies to all parties, experts, and relevant third-parties.

Be prepared for a motion to compel.

If all else fails, be prepared to file a motion to compel. This means knowing the case law on HIPAA, redaction rules, federal privacy rights, applicability of state privacy law, and pre- and post-class certification rules. The cases cited herein should hopefully be a starting point for your meet and confer process.