Disclosing PHI: What’s legal vs. what’s illegal

September 28, 2018

Legal insights from both sides of the aisle about what to do when protected health information (PHI) has been disclosed or when law enforcement requests it in a legal proceeding.

In general, the Health Information Portability and Accountability Act of 1996 (HIPAA) prevents the disclosure of protected health information (PHI) unless a patient has consented to its disclosure or it is for treatment purposes. Like most laws and regulations, HIPAA contains exceptions.

Let’s explore those exceptions from both sides of the aisle: plaintiff and defense. These exceptions can and do come into play in a variety of legal proceedings ranging from the False Claims Act to trade secrets.

From the plaintiff’s side, the exception that physicians and other providers need to be aware of is 45 C.F.R. § 164.502(j)(1), which permits a covered entity or business associate’s workforce member to do the following:

  • The workforce member or business associate believes in good faith that the covered entity has engaged in conduct that is unlawful or otherwise violates professional or clinical standards, or that the care, services, or conditions provided by the covered entity potentially endangers one or more patients, workers or the public; and
  • The disclosure is to:
  • (B) An attorney retained by or on behalf of the workforce member or business associate for the purpose of determining the legal options of the workforce member or business associate with regard to the conduct described in paragraph (j)(1)(i) of this section.

It is also appropriate to provide protected health information in certain circumstances to the government. For example, 45 C.F.R. §162.512(f), (j), provides the ability for law enforcement functions to continue with the appropriate safeguards without the individual’s written consent.

From the defense side of the aisle, it is common for a trade secret violation to be raised by defense attorneys in an effort to retaliate against the person. Or, there could be a legitimate reason for this to be raised. For example, if the workforce member provided a list of PHI to a potential employer or competitor in addition to providing the information to an attorney, the exception identified above would no longer cover the individual.

Another item that defense counsel needs to be aware of is that even though law enforcement or the government may request PHI, it must be done in accordance with procedural and evidentiary aspects of the law. [See 45 C.F.R. 164.512(f)(1)(ii).] This means that a warrant, an administrative request, or other official document must be obtained, executed, and shown, to the doctor’s office or hospital, for example. Failing to follow proper legal evidentiary and procedural channels could “taint” the evidence and result in the “fruit from the poisonous tree.” In other words, that could mean the evidence that was obtained in an illicit manner by the government or law enforcement may be inadmissible or even harm the overall case.

 It is important to appreciate that a subpoena or a request for documents about a patient from a private lawyer in a civil case needs to be disclosed to the patient and cannot just be handed over, which is what the Connecticut Supreme Court addressed in Emily Bryne v. Avery Center for Obstetrics and Gynecology, SC 19873 (Jan. 2018).

In sum, providers should be very cautious about handing over PHI as well as filing parallel or retaliatory suits for HIPAA or trade secret violations. The best course of action is to seek the advice of legal counsel before either providing PHI to another entity, responding to a request for information, or retaliating against a workforce member who meets the exception to disclose PHI to an attorney.

Rachel V. Rose, JD, MBA, advises clients on compliance and transactions in healthcare, cybersecurity, corporate and securities law, while representing plaintiffs in False Claims Act and Dodd-Frank whistleblower cases. She also teaches bioethics at Baylor College of Medicine in Houston. Rachel can be reached through her website, www.rvrose.com.