Do covered entities need to inform patients about info shared in litigation?

Patients can request an accounting of disclosures that includes information shared by their covered entity during litigation, as per 45 CFR 164.528.

The disclosures made during litigation

HHS guidance provides an answer, “Individuals have a right to receive, upon request, an accounting of disclosures of protected health information made by a covered entity (or its business associate), with certain exceptions.”

During litigation, healthcare providers might need to share protected health information (PHI) for various legal purposes. For instance, they might provide a patient's medical records as evidence in a court case, comply with a court order that mandates the release of specific health information, or respond to legal requests such as subpoenas and discovery requests from attorneys. 

Typically, healthcare providers do not need to inform patients before making these disclosures. This exemption exists because the legal process often demands timely and accurate information, and notifying patients could delay legal proceedings or jeopardize the integrity of the case. 

HIPAA recognizes that legal obligations can sometimes precede patient notification so that justice is served efficiently and effectively. This balance helps protect the legal process as well as protecting patients. 

Can patients request the disclosure of information shared during litigation?

Patients have the right to request an accounting of certain disclosures of their PHI made by a covered entity, which includes information shared during litigation. This is outlined in 45 CFR 164.528. Specifically, patients can request an accounting of disclosures made without their authorization for various purposes, including those required by law, for health oversight activities, or in response to legal proceedings.

The sections of HIPAA that apply: 

Section 164.528(a)(1): Accounting of disclosures of protected health information

This section states that individuals have the right to receive an accounting of disclosures of their PHI made by a covered entity in the six years prior to the date on which the accounting is requested.

Section 164.528(a)(2): Exceptions to the accounting requirement

The regulation lists exceptions where an accounting is not required, such as disclosures made for treatment, payment, and healthcare operations, or those made with the individual’s authorization. However, it does not exclude disclosures made for litigation purposes under the general conditions specified in Section 164.512.

Section 164.512: Uses and disclosures for which an authorization or opportunity to agree or object is not required

This section covers permissible disclosures without patient authorization, including those required by law (164.512(a)), for judicial and administrative proceedings (164.512(e)), and for health oversight activities (164.512(d)).

See also: HIPAA Compliant Email: The Definitive Guide

A practical example of PHI disclosure according to state legislation

A 2017 American Medical Association news story reported about the case of Charles v. Southern Baptist Hospital of Florida. Physicians and hospitals share medical incident reports with patient safety organizations (PSOs) to improve patient safety. However, the Supreme Court of Florida ruled that this information is not protected from disclosure in medical liability cases. This decision reversed a previous ruling by a Florida appeals court, which had protected such information under the federal Patient Safety and Quality Improvement Act of 2005 (PSQIA).

The PSQIA was designed to encourage the sharing of information for quality improvement without fear of liability. However, the Florida Supreme Court decided that healthcare providers cannot shield documents from discovery in litigation simply by placing them under the PSO system. This ruling emphasizes that while the PSQIA aims to enhance patient care and safety, it does not override state laws regarding the discovery of information in legal cases.

FAQs

What is a covered entity?

A covered entity is a healthcare provider, health plan, or healthcare clearinghouse that transmits any health information in electronic form in connection with transactions covered by HIPAA.

What are patients' rights under HIPAA?

Patients have the right to access their health information, request corrections, receive an accounting of disclosures, request restrictions on certain uses and disclosures, and obtain a copy of the privacy notice.

When do patients need to give permission to share or use their PHI?

Patients need to give permission to share or use their PHI for purposes not related to treatment, payment, healthcare operations