Disclosures of PHI that occur during litigation

Healthcare providers need to be aware of disclosures during litigation to ensure legal compliance while participating effectively in these proceedings.

Can a covered entity share PHI during litigation?

Yes, a covered entity is generally allowed to share protected health information (PHI) during litigation, subject to certain conditions outlined in the HIPAA Privacy Rule. The Privacy Rule allows for disclosures of PHI for judicial and administrative proceedings under 45 CFR 164.512(e). 

Requirements for disclosure

1. Satisfactory assurances: If the covered entity is not a party to the litigation, it must obtain or receive satisfactory assurances before making a disclosure for judicial or administrative proceedings. This includes ensuring that the recipient, often another party involved in the legal process, will use the information appropriately and protect its confidentiality.
2. Disclosure to lawyers as business associates: Covered entities often share PHI for litigation purposes with lawyers who are business associates of the covered entity. These disclosures to lawyer-business associates are not themselves subject to the accounting requirement.
3. Business associate agreements: If the lawyer-business associate makes disclosures subject to the accounting requirement, the business associate agreement must ensure that the lawyer provides information about these disclosures to the covered entity. This enables the covered entity to fulfill its obligation to provide an accounting to the individual. 

See also: Can healthcare professionals disclose PHI for marketing purposes?

Providing notice to legal council and HIPAA

Disclosures of PHI to legal counsel in the context of litigation falls within the purview of the HIPAA Privacy Rule. A covered entity can provide notice to the individual's lawyer as an acceptable alternative to providing notice directly to the individual, as long as certain conditions are met. When this disclosure is made for litigation that the covered entity is not party to, they must ensure that satisfactory assurance is met. 

Conditions that must be met for a disclosure to legal representatives

1. Authorization or permissible purpose: The notice to the legal representative should be authorized by the individual or permissible under the Privacy Rule. This may include disclosures for treatment, payment, health care operations, or disclosures required by law.
2. Satisfactory assurances: Covered entities must establish satisfactory assurances with the legal representative that the notice will be relayed to the individual. This ensures that the individual is aware of the disclosure and its purpose.
3. Content of notice: The notice provided to the legal representative should include sufficient information about the litigation, enabling the individual to raise objections in court if necessary.
4. Timeframe for objections: The notice should specify the timeframe within which the individual can raise objections to the disclosure. It should also indicate that the disclosure will proceed if no objections are raised within this timeframe.
5. Accounting of disclosures: Covered entities are generally required to account for disclosures made during litigation, even when notice is provided to legal representatives. Individuals have the right to request an accounting of these disclosures.
6. Business associate agreement: If the legal representative is acting as a business associate, there should be a valid business associate agreement outlining their responsibilities in handling PHI and providing notice.
7. Individual's right to object: If the individual raises objections within the specified timeframe, the covered entity should follow applicable procedures to address these objections and assess whether the disclosure should proceed.

See also: How to handle PHI when subpoenaed

Accounting for disclosure

Covered entities must account for disclosures of PHI made during litigation, allowing individuals to request an accounting of these disclosures. These include

• Disclosures required by law 
• Disclosures for a proceeding before a health oversight agency
• Disclosures in response to a subpoena, discovery request, or other lawful process 

Not all disclosures need to be accounted for. There are exceptions to the accounting requirement, including disclosures for treatment, payment, health care operations, and those authorized by the individual.

See also: HIPAA Compliant Email: The Definitive Guide