Guest Article

HIPAA Regulations Guide Court in Ordering Patient Privacy Notice

---

Summary: A federal district court recently upheld the principles established under HIPAA's medical privacy regulations.

(June 18, 2001) - Individual privacy rights and the rights of individuals to control confidential medical information as set out in privacy rules under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) essentially were upheld by a federal district court in United States of America v. Franklin Sutherland, 2001 WL 497106 (W.D. Va., May 1, 2001).

Although compliance is not required until April 2003, the court said the standards in HIPAA's privacy rules "indicate a strong federal policy to protect the privacy of patient medical records, and they provide guidance to the present case." Consequently, the court said that a hospital may be required to turn over patient pharmacy records subject to government subpoena in a federal criminal action, but only after the patients have been given notice of their right to object to disclosure of the information.

The ruling has several significant implications, but the most important is the court's reliance on the federal policy expressed in HIPAA's privacy rules.

In the case, the federal government sought certain hospital pharmacy records as part of a criminal investigation of a medical doctor. A magistrate ordered that the records be disclosed but also required that the federal government first provide notice to each affected patient in accordance with state privacy laws.

On appeal, the federal district court said it was not bound by the state procedural law in a federal criminal prosecution; however, the court said that despite the inapplicability of state law, federal courts have acknowledged the importance of protecting patients' privacy in medical records.

The court also noted that "Congress has addressed the issue as well" through HIPAA privacy regulations, which define when and how disclosures are permitted for judicial and administrative proceedings.

Thus, the court said that, "[i]n response to a subpoena not accompanied by an order of a court, as in this case, a covered entity may disclose protected health information only after receiving satisfactory assurance 'from the party seeking the information that reasonable efforts have been made . . . to ensure that the individual [whose] . . . protected health information has been requested has been given notice of the request.'"

Thus, the court ordered the government to provide written notice prior to producing the pharmacy records to the last known address of each individual whose records are sought. The court said the notice must inform the individual that he or she may object to disclosure within five business days of the date the notice was mailed.

Implications

This ruling:

Helps define when state privacy law does not apply in a federal criminal prosecution -- which is significant because HIPAA's privacy rules do allow states in some circumstances to impose greater privacy protections; Gives guidance on what is a reasonable time -- five business days from the date of the notice -- for an individual to object to the proposed disclosure of protected information; and Affirms that protected information may be disclosed based on certain procedures; that is, notice to the individual.

From the Employer's Guide to the Health Insurance Portability and Accountability Act, published by Thompson Publishing Group, Inc.

©Thompson Publishing Group, Inc., 2001. All rights reserved.

---

BenefitsLink is an independent national employee benefits information provider, not formally affiliated with the firms and companies who kindly provide much of the content and advertisements published on this Web site, including the article shown above.