Mention the Health Insurance Portability and Accountability Act of 1996,1 otherwise known as HIPAA, to someone in law enforcement or a county or district attorney’s office and you’ll likely receive one of a few responses: “[expletive deleted],” “I don’t have to worry about HIPAA because it doesn’t apply to me,” or “I can’t ever get the medical records I need without a fight!” It’s often accompanied by changes in a person’s physical appearance: redness of the face and neck, clenched fists, increased and rapid heart rate, and an unwavering glare. You can’t help but wonder which of these responses is correct.
Whether you’re in law enforcement or in a prosecutor’s office, I hope this article will help dispel common misunderstandings about HIPAA and clarify its actual requirements when it comes to making sure everyone can effectively do his or her own job. While I initially thought I could limit this article to HIPAA only, there are several Texas laws that must also be included and addressed, especially because one of the most frequent questions I hear from Texas prosecutors is, “What must my office do to comply with HIPAA?”
It’s been my experience that it’s easier to learn something when you see how it applies in the real world, so this article presents a fairly straightforward hypothetical about health information and then analyzes the issues it presents under HIPAA’s Privacy Rule and several relevant Texas confidentiality statutes. It concludes with a “final answer” for each issue as to whether and how health information can be disclosed, plus what the requestor’s office must do to comply with HIPAA and with Texas law.
An assistant district attorney (ADA) is preparing his burglary case against a defendant. He issues a subpoena to the county hospital requesting the defendant’s medical records; she had cut her arm on the glass door of a house she had broken into (allegedly to burgle) as she tried to flee from the homeowner. The homeowner heard someone breaking into her house and immediately called the police. The homeowner then chased the defendant into the backyard, tackled her to the ground, and held her until police arrived. The defendant was taken to the county hospital for treatment for her injuries and was then taken to the county jail.
The ADA also sends a subpoena for the homeowner’s medical records to the hospital where she was treated for cuts and bruises she sustained during her fight with the defendant.
Important questions about the case:
• May the ADA get the defendant’s medical records from the county hospital?
• May the ADA get the homeowner’s medical records from the other hospital?
• If the ADA obtains copies of the medical records he’s requested, must he protect the confidentiality of those records or take any special precautions with respect to handling or disposing of them?
The defendant’s medical records. When the defendant was taken to the county hospital, she was treated like any member of the general public who presents for treatment: She was registered as a patient in the emergency room and received treatment for her injuries, and that treatment was recorded in detail in her medical record. She was then discharged back to the police for transport to the county jail.
When the county hospital receives a request for the defendant’s health information, the county hospital has an obligation (as a covered entity under both HIPAA and Texas law) to protect it. HIPAA applies only to “covered entities”: 1) health plans, 2) healthcare clearinghouses, and 3) healthcare providers that transmit health information electronically in connection with HIPAA-defined transactions.2 Under Texas Health & Safety Code Chapter 181, aka “Texas’s HIPAA,” the term “covered entity” is broader, covering not just those individuals and entities, but also any individual or entity that comes into possession of health information. Therefore, the county hospital must determine 1) whether HIPAA’s Privacy Rule or Texas law will control the release of this individual’s records in this situation, and 2) whether that law requires or permits the county hospital to produce the requested medical records to the ADA in accordance with a subpoena, or whether the county hospital must obtain the defendant’s permission first.
It’s important to understand that, unlike most federal laws, HIPAA does not always pre-empt state law. HIPAA will pre-empt a provision of state law only when the state law is both contrary to and less stringent than HIPAA.3 Texas has a number of very specific statutes that deal with health information, and in several cases, Texas law is both contrary to and more stringent than HIPAA’s Privacy Rule, so the county hospital must examine both HIPAA’s Privacy Rule and the appropriate Texas law to determine which will control in this situation. For a comprehensive pre-emption analysis of Texas law that is routinely updated, see the Texas AG Preemption Analysis.4
HIPAA’s Privacy Rule does not specifically address “releasing an individual’s medical records to an ADA pursuant to and in accordance with a subpoena.” However, HIPAA’s Privacy Rule includes several potential exceptions that might apply so that a “covered entity,” such as a hospital, need not obtain an individual’s authorization before releasing that person’s medical records to an ADA:
1) disclosures for judicial and administrative proceedings;5
2) disclosures for law enforcement purposes;6 and
3) disclosures to avert a serious threat to health or safety.7
Of these three potential exceptions, the one most likely to apply in this particular situation is the judicial and administrative proceeding exception. Covered entities may disclose protected health information (usually referred to as PHI) “in the course of any judicial or administrative proceeding,” in response to a court order or to a subpoena that is not accompanied by a court order if the covered entity “receives satisfactory assurance” that the subject of the PHI has been given notice of the request or that the requestor has made reasonable efforts to secure a qualified protective order for the PHI.8 The covered entity may also release the records pursuant to the ADA’s subpoena without receiving satisfactory assurance if the covered entity asks the defendant to authorize the release or the covered entity obtains a qualified protective order that includes the required elements.9
Confidentiality of hospital medical records is governed under Texas Health & Safety Code §241.151 et seq., and Texas Health & Safety Code §241.153(20) specifically addresses when a hospital can release an individual’s medical records to an ADA. Texas Health & Safety Code §241.153(20) provides not only that a hospital may release a patient’s records if the disclosure is “related to a judicial proceeding in which the patient is a party and the disclosure is requested under a subpoena issued under … the Texas Code of Criminal Procedure,” but also that the hospital may disclose those records without obtaining the patient’s authorization.10
According to the Texas AG Preemption Analysis, Texas Health & Safety Code §241.153(20) is related but not contrary to HIPAA’s Privacy Rule so it is not pre-empted.11 In this hypothetical situation, the county hospital can—and must—comply with both laws. Applying the judicial and administrative proceeding exception of HIPAA’s Privacy Rule, the county hospital need not obtain authorization from the defendant, although it might seek one from her or notify her that the ADA has requested her records. Under Texas law, too, the county hospital can release the requested medical records to the ADA without having to obtain an authorization from the defendant, provided that the ADA’s subpoena is signed by the clerk of the criminal district court in which the defendant will be tried.12
In reality, however, while the county hospital is permitted to release the requested medical records solely because the ADA’s subpoena is valid, it is important to note that 1) such a disclosure is not mandated, it’s only allowed;13 and 2) occasionally, Texas hospitals will also require the ADA to provide a “HIPAA letter” or a “HIPAA affidavit” in addition to a subpoena before they will release the requested medical records. The HIPAA letter or affidavit sets forth the conditions that must be met under HIPAA’s Privacy Rule’s law enforcement purposes exception before the covered entity can release an individual’s PHI without first obtaining the individual’s authorization to law enforcement.14 The subpoena must specify that the information being requested is “relevant and material to a legitimate law enforcement inquiry,” that the subpoena is limited in scope and that “[d]e-identified information could not reasonably be used.” Covered entities that require HIPAA letters