General counsel may have access to all kinds of information during the discovery phase of litigation. But with the added wrinkle of electronic discovery, lawyers must tread lightly and carefully with this information, especially when dealing with personal health information.
The Health Insurance Portability and Accountability Act (HIPAA) established strict standards for healthcare providers, health plans and other covered entities to maintain the security and privacy of patients’ protected health information (PHI). Additionally, under the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, these rules also now apply to business associates of covered entities, as defined and explained in a previous article.
To address these discovery requests, counsel should attempt to come to an agreement with opposing counsel to narrow the scope of what is deemed relevant information in order to avoid disclosure of PHI. However, in circumstances where pertinent evidence contains PHI, it is important to note that disclosure is not automatically permitted just because a discovery request has been made. Specifically, under HIPAA, disclosure of PHI is available only if the request is court-ordered or made in response to a subpoena, discovery request or other lawful process—as long as opposing counsel gives to the covered entity that they have notified the individual or have obtained a protective order. Furthermore, certain states have different standards for disclosure of health information as part of a discovery request, some even more stringent than HIPAA. Considering these hurdles, if a covered entity must disclose PHI as part of the discovery process, the parties should try to come to agreement on a method of disclosure that avoids HIPAA issues (e.g., de-identifying the records), or both parties should be prepared to incur substantial discovery costs.