Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

The Impact of HIPAA Privacy Regulations on Discovery of Plaintiffs' Medical Records

By Lori G. Baer and Christiana P. Callahan
September 02, 2003

When products liability defense counsel first heard of the new privacy regulations issued by the U.S. Department of Health and Human Services under the Health Insurance Portability and Accountability Act of 1996 (HIPAA Privacy Regulations), most counsel probably thought that only their regulatory healthcare colleagues would be affected by these detailed and complicated laws. How great an impact the HIPAA Privacy Regulations will have on product liability litigation in general is yet to be seen, but it is clear that these regulations will have an immediate effect on discovery of medical records. Under the statutory or common law of most states, when a plaintiff files a suit that puts his/her medical or health condition at issue, the plaintiff waives his/her right to privacy, to at least some extent, in his/her medical records. When the HIPAA Privacy Regulations became enforceable on April 14, 2003, this was no longer the case. Because the HIPAA Privacy Regulations provide strict privacy protection for a patient's medical information, even if the patient filed a lawsuit with his/her health at issue, discovery of the patient's medical records could become more difficult for product liability defense counsel. However, defense counsel still will have several options to obtain discovery of a plaintiff's medical records under the HIPAA Privacy Regulations.

What are the HIPAA Privacy Regulations?

The HIPAA Privacy Regulations provide a comprehensive new federal law protecting the privacy of medical records. See 45 C.F.R. Parts 160 and 164; Pub. L. No. 104-191, ” 262, 264, 110 Stat. 1936 (1996) (codified at 42 U.S.C. ” 1320d-1329d-8, 1320d-2(note)). According to the new privacy standards, covered healthcare entities must follow certain procedures before using or disclosing individual health information contained in medical records. See generally, 45 C.F.R. ” 160, 164. The HIPAA Privacy Regulations generally preempt state law governing disclosure of medical or health information. 45 C.F.R. ' 160.203. However, if a state law is more stringent than the HIPAA Privacy Regulations, the state law is not preempted and will apply in addition to the HIPAA Privacy Regulations. 45 C.F.R. ” 160.202, .203. The regulations define 'more stringent' as 1) prohibiting or restricting use or disclosure allowed by the regulations; 2) providing a patient with greater access to his or her individual health information; 3) providing a patient with more information about use, disclosure and rights concerning his or her health information; 4) increasing the privacy protections afforded by a legal permission to release health information; 5) requiring longer retention or more detailed reporting of health information; or 6) in general provides greater privacy protection to the patient. 45 C.F.R. ' 160.202.

Even assuming that the applicable state law is preempted by the HIPAA Privacy Regulations, for the most part, product liability defendants are not directly affected by the HIPAA Privacy Regulations because they generally do not constitute 'covered entities.' The HIPAA Privacy Regulations directly apply only to 'covered entities.' 45 C.F.R. ' 160.102. The regulations define a 'covered entity' as: 1) a health plan, such as an HMO, a self-insured employer group health plan, a health insurance company, Medicare or Medicaid; 2) a healthcare clearinghouse, which is an entity that translates health claims transactions from nonstandard to standard format; or 3) a healthcare provider who electronically transmits certain health claims transactions, such as a physician, pharmacist, hospital, or skilled nursing facility. 45 C.F.R. ' 160.103; 42 U.S.C. ” 1395x(s), (u). Although a healthcare provider also includes 'any other person or organization who furnishes, bills or is paid for healthcare in the normal course of business,' this definition does not include most product liability defendants, including medical device or pharmaceutical manufacturers and other product manufacturers or distributors, unless they are manufacturing or producing supplies or devices related to the health of a particular patient. See 45 C.F.R. ' 160.103.

In addition, most product liability defendants would not be affected by the HIPAA Privacy Regulations as 'business associates' of 'covered entities' under the regulations. A 'business associate' under the regulations is a person or entity who provides a service to a covered entity that involves the use of individually identifiable health information, such as claims processing, data analysis, quality assurance, utilization review, billing, practice management, legal services, actuarial services, accounting or financial services. 45 C.F.R. ' 160.103. The HIPAA Privacy Regulations provide that contracts between a covered entity and a business associate must contain certain provisions dealing with the use and disclosure of protected health information by the business associate. See 45 C.F.R. ' 164.504(3). Typical product liability defendants are manufacturers or distributors of products and, as such, do not provide assistance to covered entities in activities involving health information such as claims processing, utilization review, billing, legal services or financial services.

Although not directly affected by the HIPAA Privacy Regulations as covered entities or business associates, typical product liability defendants are affected by the HIPAA Privacy Regulations because knowledge and understanding of a patient's medical or health information that is protected by these regulations is necessary to defend a product liability suit. The HIPAA Privacy Regulations govern the use and disclosure of 'protected health information' (PHI) in the possession of healthcare providers ' who are the parties from which product liability defendants often need to obtain that information. See 45 C.F.R. ' 164.502. PHI is defined as information relating to the physical or mental health or condition of an individual, the provision of healthcare to the individual or payments for the individual's healthcare, that is either created or received by a covered entity and that is in any form, including oral, written or electronic form. 45 C.F.R. ' 160.102; 45 C.F.R. ' 164.501. Information is considered PHI under the regulations if it identifies an individual or if there is a reasonable basis to believe that the individual may be identified. 45 C.F.R. ' 160.102. PHI thus includes medical records, X-rays, mammograms, prescriptions and even oral diagnoses or treatment orders by physicians.

Discovery of PHI under the HIPAA Privacy Regulations

As the HIPAA Privacy Regulations provide for new rules regarding disclosure of PHI by covered entities, such as hospitals and physicians, the regulations greatly impact discovery of PHI, including medical records, prescriptions and X-rays. The regulations distinguish between those situations where PHI is required to be used or disclosed by a covered entity (ie a hospital) and those situations where PHI is permitted to be used or disclosed by a covered entity. See 45 C.F.R. ' 164.502(a). In general, the permitted uses of PHI are for treatment, payment and healthcare operations, which include conducting or arranging for legal services, credentialing, auditing, and limited marketing. Id.; 45 C.F.R. ' 164.506. A covered entity also is permitted to make disclosures of PHI for certain public health, health oversight, law enforcement, and other purposes serving the public interest. 45 C.F.R. ' 164.512.

If PHI is to be used or disclosed for purposes other than for treatment, payment or healthcare operations, or other permitted purposes, a prior detailed written authorization by the patient is required. This patient authorization must clearly describe the scope of the information being used, the persons authorized to disclose the information and the persons authorized to receive the PHI. In addition, it must be revocable by the patient and must contain an expiration date or event. 45 C.F.R. ' 164.508(c). However, the regulations provide for certain circumstances under which PHI may be used or disclosed by a covered entity without patient authorization or giving the patient an opportunity to agree or object to the disclosure. See 45 C.F.R. ' 164.512.

The HIPAA Privacy Regulations allow PHI disclosures by a covered entity for judicial or administrative proceedings without patient authorization in three types of situations. See 45 C.F.R. ' 164.512(e). First, a covered entity, such as a hospital, may disclose PHI in response to a court order. 45 C.F.R. ' 164.512(e)(1)(i). Second, a covered entity, such as a hospital, may disclose PHI in response to a subpoena or a discovery request if the person or entity requesting the PHI has provided the covered entity with satisfactory assurances that a reasonable effort has been made either to notify the patient of the request or to obtain a qualified protective order. 45 C.F.R. ' 164.512 (e)(1)(ii). (According to the regulations, a 'qualified protective order' is a court order or stipulation by the parties to the dispute that 1) prohibits the parties from using the PHI for any purpose other than the litigation; and 2) requires the return of the PHI to the covered entity or the destruction of the PHI, including all copies, at the close of the litigation. 45 C.F.R. ' 164.512(e) (1)(v).) Third, a covered entity, such as a hospital, may disclose PHI in response to a subpoena or discovery request without receiving satisfactory assurances from the person or entity seeking disclosure if the covered entity itself makes a reasonable effort to notify the patient or to seek a qualified protective order. 45 C.F.R. '164.512(e) (1)(vi).

Under the second situation, a person or entity, such as a product liability defense counsel, seeking disclosure of PHI from a covered entity, such as a hospital, must provide 'satisfactory assurances' to the covered entity along with a discovery request or subpoena either that a reasonable effort was made to notify the patient or that a qualified protective order was sought. In order to demonstrate 'satisfactory assurances' that a reasonable effort was made to notify the patient, a person or entity seeking disclosure must provide the covered entity with a written statement that: 1) the person seeking disclosure made a good faith attempt at providing written notice to the patient; 2) the notice included sufficient information about the litigation; and 3) the patient did not object to the disclosure to the court or all objections were resolved by the court and the time to object has elapsed. 45 C.F.R. ' 164.512(e)(iii). A person seeking disclosure of PHI demonstrates 'satisfactory assurances' that a reasonable effort was made to seek a qualified protective order if the person provides a written statement that either 1) the parties to the dispute have agreed to a qualified protective order and presented it to the court or 2) the person seeking PHI has requested a qualified protective order from the court. 45 C.F.R. ' 164.512(e)(iv). Even if the entity seeking disclosure provides the covered entity with the necessary 'satisfactory assurances' along with a discovery request or subpoena, the covered entity cannot always release the entire medical record without a specific court order. According to the HIPAA Privacy Regulations, the covered entities must also comply with the Federal Alcohol and Drug Abuse Regulations, so that in accordance with 42 C.F.R. ' 2.61, the covered entity that is subject to these regulations can only release alcohol and drug abuse records in response to a subpoena accompanied by a court order. Also, the provider is required under the HIPAA Privacy Regulations to disclose only the 'Minimum necessary' amount of PHI to accomplish the purpose of the disclosure. 45 C.F.R. ' 164.514(d)(3). Thus the provider might not be willing to disclosure the entire medical record in response to a subpoena.

Impact on the Discovery of Medical Records

Although the HIPAA Privacy Regulations may not apply directly to the product liability defendant, the regulations will significantly affect the discovery of medical records. As described above, covered entities may disclose PHI in a judicial proceeding under certain circumstances, meaning that product liability defense counsel have different options to obtain discovery of medical records. According to the regulations, defense counsel could obtain discovery of medical records by seeking authorizations from the plaintiff that permit specified treating physicians and other providers of the plaintiff to release the plaintiff's PHI, including medical records, prescriptions, or films. The authorizations can be either broad or limited in scope, depending on the information needed and the willingness of the plaintiff to agree to the disclosure.

However, if the plaintiff will not sign the authorization, then defense counsel must show that the case qualifies under one of the three situations described above,
so that the covered healthcare provider can disclose the patient's PHI without patient authorization. First, defense counsel could seek a court order compelling disclosure of the medical records. Second, defense counsel could subpoena the medical records or send the physician a discovery request for the records. However, in order to seek disclosure through a subpoena or discovery request, defense counsel must first either 1) seek a qualified protective order in agreement with the plaintiff under which the plaintiff would sign authorizations permitting disclosure of the plaintiff's PHI by the treating physicians and providers; 2) seek a qualified protective order from the court if the plaintiff refuses to agree to a qualified protective order; or 3) notify the plaintiff of the request and the nature of the litigation and wait for the time for the plaintiff to file an objection with the court to elapse. In addition, defense counsel must include a written statement showing that they satisfied one of these three options along with the discovery request or subpoena to the physician.

Checklist of Compliance

In an effort to comport with HIPAA Privacy Regulations, physicians and other providers are adopting new procedures for disclosing medical records. Conseq- uently, product liability defense counsel must also change the way that they gain discovery of medical records. Product liability defense counsel should attempt to complete the following list:

  • Analyze state law to determine which discovery laws still apply and which are preempted by the HIPAA Privacy Regulations;
  • Draft patient authorization forms to comply with the regulations and to request the information needed;
  • Draft form letters to plaintiffs giving notice of a discovery request or subpoena and the nature of the litigation;
  • Draft form motions for a qualified protective order and brief in support thereof;
  • Draft cover letters to providers to accompany a discovery request or subpoena, explaining that satisfactory assurances have been provided.


Conclusion

At first glance, the HIPAA Privacy Regulations appear to favor plaintiffs in product liability actions by allowing them to make discovery of medical records more difficult through refusing to sign authorizations or agreeing to protective orders. It has become clear, though, that this was not and is not the goal behind the regulations. According to the Preamble to the final HIPAA Privacy Regulations, the provisions regarding disclosure of PHI without patient authorization in a judicial or administrative proceeding were 'not intended to disrupt current practice whereby an individual who is a party to a proceeding and has put his or her medical condition at issue will not prevail without consenting to the production of his or her protected health information.' See Standards for Privacy of Individ-ually Identifiable Health Inform- ation, 65 Fed. Reg. 82462, 82530 (December 28, 2000) (codified at 45 C.F.R. Parts 160 and 164). Thus, regardless of the potential attempts by the plaintiff's side of the case to misuse the HIPAA Privacy Regulations to thwart lawful and necessary discovery, defense counsel should be allowed to conduct meaningful discovery even if a few additional obstacles are thrown onto his or her path.


Lori G. Baer is a partner with Alston & Bird, LLP. She focuses on litigation and trial work for the pharmaceutical and medical device industry, products liability and medical malpractice. Christiana P. Callahan is an associate with Alston & Bird, LLP. She focuses her practice on products liability and medical malpractice litigation and healthcare regulatory issues.

When products liability defense counsel first heard of the new privacy regulations issued by the U.S. Department of Health and Human Services under the Health Insurance Portability and Accountability Act of 1996 (HIPAA Privacy Regulations), most counsel probably thought that only their regulatory healthcare colleagues would be affected by these detailed and complicated laws. How great an impact the HIPAA Privacy Regulations will have on product liability litigation in general is yet to be seen, but it is clear that these regulations will have an immediate effect on discovery of medical records. Under the statutory or common law of most states, when a plaintiff files a suit that puts his/her medical or health condition at issue, the plaintiff waives his/her right to privacy, to at least some extent, in his/her medical records. When the HIPAA Privacy Regulations became enforceable on April 14, 2003, this was no longer the case. Because the HIPAA Privacy Regulations provide strict privacy protection for a patient's medical information, even if the patient filed a lawsuit with his/her health at issue, discovery of the patient's medical records could become more difficult for product liability defense counsel. However, defense counsel still will have several options to obtain discovery of a plaintiff's medical records under the HIPAA Privacy Regulations.

What are the HIPAA Privacy Regulations?

The HIPAA Privacy Regulations provide a comprehensive new federal law protecting the privacy of medical records. See 45 C.F.R. Parts 160 and 164; Pub. L. No. 104-191, ” 262, 264, 110 Stat. 1936 (1996) (codified at 42 U.S.C. ” 1320d-1329d-8, 1320d-2(note)). According to the new privacy standards, covered healthcare entities must follow certain procedures before using or disclosing individual health information contained in medical records. See generally, 45 C.F.R. ” 160, 164. The HIPAA Privacy Regulations generally preempt state law governing disclosure of medical or health information. 45 C.F.R. ' 160.203. However, if a state law is more stringent than the HIPAA Privacy Regulations, the state law is not preempted and will apply in addition to the HIPAA Privacy Regulations. 45 C.F.R. ” 160.202, .203. The regulations define 'more stringent' as 1) prohibiting or restricting use or disclosure allowed by the regulations; 2) providing a patient with greater access to his or her individual health information; 3) providing a patient with more information about use, disclosure and rights concerning his or her health information; 4) increasing the privacy protections afforded by a legal permission to release health information; 5) requiring longer retention or more detailed reporting of health information; or 6) in general provides greater privacy protection to the patient. 45 C.F.R. ' 160.202.

Even assuming that the applicable state law is preempted by the HIPAA Privacy Regulations, for the most part, product liability defendants are not directly affected by the HIPAA Privacy Regulations because they generally do not constitute 'covered entities.' The HIPAA Privacy Regulations directly apply only to 'covered entities.' 45 C.F.R. ' 160.102. The regulations define a 'covered entity' as: 1) a health plan, such as an HMO, a self-insured employer group health plan, a health insurance company, Medicare or Medicaid; 2) a healthcare clearinghouse, which is an entity that translates health claims transactions from nonstandard to standard format; or 3) a healthcare provider who electronically transmits certain health claims transactions, such as a physician, pharmacist, hospital, or skilled nursing facility. 45 C.F.R. ' 160.103; 42 U.S.C. ” 1395x(s), (u). Although a healthcare provider also includes 'any other person or organization who furnishes, bills or is paid for healthcare in the normal course of business,' this definition does not include most product liability defendants, including medical device or pharmaceutical manufacturers and other product manufacturers or distributors, unless they are manufacturing or producing supplies or devices related to the health of a particular patient. See 45 C.F.R. ' 160.103.

In addition, most product liability defendants would not be affected by the HIPAA Privacy Regulations as 'business associates' of 'covered entities' under the regulations. A 'business associate' under the regulations is a person or entity who provides a service to a covered entity that involves the use of individually identifiable health information, such as claims processing, data analysis, quality assurance, utilization review, billing, practice management, legal services, actuarial services, accounting or financial services. 45 C.F.R. ' 160.103. The HIPAA Privacy Regulations provide that contracts between a covered entity and a business associate must contain certain provisions dealing with the use and disclosure of protected health information by the business associate. See 45 C.F.R. ' 164.504(3). Typical product liability defendants are manufacturers or distributors of products and, as such, do not provide assistance to covered entities in activities involving health information such as claims processing, utilization review, billing, legal services or financial services.

Although not directly affected by the HIPAA Privacy Regulations as covered entities or business associates, typical product liability defendants are affected by the HIPAA Privacy Regulations because knowledge and understanding of a patient's medical or health information that is protected by these regulations is necessary to defend a product liability suit. The HIPAA Privacy Regulations govern the use and disclosure of 'protected health information' (PHI) in the possession of healthcare providers ' who are the parties from which product liability defendants often need to obtain that information. See 45 C.F.R. ' 164.502. PHI is defined as information relating to the physical or mental health or condition of an individual, the provision of healthcare to the individual or payments for the individual's healthcare, that is either created or received by a covered entity and that is in any form, including oral, written or electronic form. 45 C.F.R. ' 160.102; 45 C.F.R. ' 164.501. Information is considered PHI under the regulations if it identifies an individual or if there is a reasonable basis to believe that the individual may be identified. 45 C.F.R. ' 160.102. PHI thus includes medical records, X-rays, mammograms, prescriptions and even oral diagnoses or treatment orders by physicians.

Discovery of PHI under the HIPAA Privacy Regulations

As the HIPAA Privacy Regulations provide for new rules regarding disclosure of PHI by covered entities, such as hospitals and physicians, the regulations greatly impact discovery of PHI, including medical records, prescriptions and X-rays. The regulations distinguish between those situations where PHI is required to be used or disclosed by a covered entity (ie a hospital) and those situations where PHI is permitted to be used or disclosed by a covered entity. See 45 C.F.R. ' 164.502(a). In general, the permitted uses of PHI are for treatment, payment and healthcare operations, which include conducting or arranging for legal services, credentialing, auditing, and limited marketing. Id.; 45 C.F.R. ' 164.506. A covered entity also is permitted to make disclosures of PHI for certain public health, health oversight, law enforcement, and other purposes serving the public interest. 45 C.F.R. ' 164.512.

If PHI is to be used or disclosed for purposes other than for treatment, payment or healthcare operations, or other permitted purposes, a prior detailed written authorization by the patient is required. This patient authorization must clearly describe the scope of the information being used, the persons authorized to disclose the information and the persons authorized to receive the PHI. In addition, it must be revocable by the patient and must contain an expiration date or event. 45 C.F.R. ' 164.508(c). However, the regulations provide for certain circumstances under which PHI may be used or disclosed by a covered entity without patient authorization or giving the patient an opportunity to agree or object to the disclosure. See 45 C.F.R. ' 164.512.

The HIPAA Privacy Regulations allow PHI disclosures by a covered entity for judicial or administrative proceedings without patient authorization in three types of situations. See 45 C.F.R. ' 164.512(e). First, a covered entity, such as a hospital, may disclose PHI in response to a court order. 45 C.F.R. ' 164.512(e)(1)(i). Second, a covered entity, such as a hospital, may disclose PHI in response to a subpoena or a discovery request if the person or entity requesting the PHI has provided the covered entity with satisfactory assurances that a reasonable effort has been made either to notify the patient of the request or to obtain a qualified protective order. 45 C.F.R. ' 164.512 (e)(1)(ii). (According to the regulations, a 'qualified protective order' is a court order or stipulation by the parties to the dispute that 1) prohibits the parties from using the PHI for any purpose other than the litigation; and 2) requires the return of the PHI to the covered entity or the destruction of the PHI, including all copies, at the close of the litigation. 45 C.F.R. ' 164.512(e) (1)(v).) Third, a covered entity, such as a hospital, may disclose PHI in response to a subpoena or discovery request without receiving satisfactory assurances from the person or entity seeking disclosure if the covered entity itself makes a reasonable effort to notify the patient or to seek a qualified protective order. 45 C.F.R. '164.512(e) (1)(vi).

Under the second situation, a person or entity, such as a product liability defense counsel, seeking disclosure of PHI from a covered entity, such as a hospital, must provide 'satisfactory assurances' to the covered entity along with a discovery request or subpoena either that a reasonable effort was made to notify the patient or that a qualified protective order was sought. In order to demonstrate 'satisfactory assurances' that a reasonable effort was made to notify the patient, a person or entity seeking disclosure must provide the covered entity with a written statement that: 1) the person seeking disclosure made a good faith attempt at providing written notice to the patient; 2) the notice included sufficient information about the litigation; and 3) the patient did not object to the disclosure to the court or all objections were resolved by the court and the time to object has elapsed. 45 C.F.R. ' 164.512(e)(iii). A person seeking disclosure of PHI demonstrates 'satisfactory assurances' that a reasonable effort was made to seek a qualified protective order if the person provides a written statement that either 1) the parties to the dispute have agreed to a qualified protective order and presented it to the court or 2) the person seeking PHI has requested a qualified protective order from the court. 45 C.F.R. ' 164.512(e)(iv). Even if the entity seeking disclosure provides the covered entity with the necessary 'satisfactory assurances' along with a discovery request or subpoena, the covered entity cannot always release the entire medical record without a specific court order. According to the HIPAA Privacy Regulations, the covered entities must also comply with the Federal Alcohol and Drug Abuse Regulations, so that in accordance with 42 C.F.R. ' 2.61, the covered entity that is subject to these regulations can only release alcohol and drug abuse records in response to a subpoena accompanied by a court order. Also, the provider is required under the HIPAA Privacy Regulations to disclose only the 'Minimum necessary' amount of PHI to accomplish the purpose of the disclosure. 45 C.F.R. ' 164.514(d)(3). Thus the provider might not be willing to disclosure the entire medical record in response to a subpoena.

Impact on the Discovery of Medical Records

Although the HIPAA Privacy Regulations may not apply directly to the product liability defendant, the regulations will significantly affect the discovery of medical records. As described above, covered entities may disclose PHI in a judicial proceeding under certain circumstances, meaning that product liability defense counsel have different options to obtain discovery of medical records. According to the regulations, defense counsel could obtain discovery of medical records by seeking authorizations from the plaintiff that permit specified treating physicians and other providers of the plaintiff to release the plaintiff's PHI, including medical records, prescriptions, or films. The authorizations can be either broad or limited in scope, depending on the information needed and the willingness of the plaintiff to agree to the disclosure.

However, if the plaintiff will not sign the authorization, then defense counsel must show that the case qualifies under one of the three situations described above,
so that the covered healthcare provider can disclose the patient's PHI without patient authorization. First, defense counsel could seek a court order compelling disclosure of the medical records. Second, defense counsel could subpoena the medical records or send the physician a discovery request for the records. However, in order to seek disclosure through a subpoena or discovery request, defense counsel must first either 1) seek a qualified protective order in agreement with the plaintiff under which the plaintiff would sign authorizations permitting disclosure of the plaintiff's PHI by the treating physicians and providers; 2) seek a qualified protective order from the court if the plaintiff refuses to agree to a qualified protective order; or 3) notify the plaintiff of the request and the nature of the litigation and wait for the time for the plaintiff to file an objection with the court to elapse. In addition, defense counsel must include a written statement showing that they satisfied one of these three options along with the discovery request or subpoena to the physician.

Checklist of Compliance

In an effort to comport with HIPAA Privacy Regulations, physicians and other providers are adopting new procedures for disclosing medical records. Conseq- uently, product liability defense counsel must also change the way that they gain discovery of medical records. Product liability defense counsel should attempt to complete the following list:

  • Analyze state law to determine which discovery laws still apply and which are preempted by the HIPAA Privacy Regulations;
  • Draft patient authorization forms to comply with the regulations and to request the information needed;
  • Draft form letters to plaintiffs giving notice of a discovery request or subpoena and the nature of the litigation;
  • Draft form motions for a qualified protective order and brief in support thereof;
  • Draft cover letters to providers to accompany a discovery request or subpoena, explaining that satisfactory assurances have been provided.


Conclusion

At first glance, the HIPAA Privacy Regulations appear to favor plaintiffs in product liability actions by allowing them to make discovery of medical records more difficult through refusing to sign authorizations or agreeing to protective orders. It has become clear, though, that this was not and is not the goal behind the regulations. According to the Preamble to the final HIPAA Privacy Regulations, the provisions regarding disclosure of PHI without patient authorization in a judicial or administrative proceeding were 'not intended to disrupt current practice whereby an individual who is a party to a proceeding and has put his or her medical condition at issue will not prevail without consenting to the production of his or her protected health information.' See Standards for Privacy of Individ-ually Identifiable Health Inform- ation, 65 Fed. Reg. 82462, 82530 (December 28, 2000) (codified at 45 C.F.R. Parts 160 and 164). Thus, regardless of the potential attempts by the plaintiff's side of the case to misuse the HIPAA Privacy Regulations to thwart lawful and necessary discovery, defense counsel should be allowed to conduct meaningful discovery even if a few additional obstacles are thrown onto his or her path.


Lori G. Baer is a partner with Alston & Bird, LLP. She focuses on litigation and trial work for the pharmaceutical and medical device industry, products liability and medical malpractice. Christiana P. Callahan is an associate with Alston & Bird, LLP. She focuses her practice on products liability and medical malpractice litigation and healthcare regulatory issues.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
'Huguenot LLC v. Megalith Capital Group Fund I, L.P.': A Tutorial On Contract Liability for Real Estate Purchasers Image

In June 2024, the First Department decided Huguenot LLC v. Megalith Capital Group Fund I, L.P., which resolved a question of liability for a group of condominium apartment buyers and in so doing, touched on a wide range of issues about how contracts can obligate purchasers of real property.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

CoStar Wins Injunction for Breach-of-Contract Damages In CRE Database Access Lawsuit Image

Latham & Watkins helped the largest U.S. commercial real estate research company prevail in a breach-of-contract dispute in District of Columbia federal court.

Fresh Filings Image

Notable recent court filings in entertainment law.

The Article 8 Opt In Image

The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.