A HIPAA-covered entity may use or disclose protected health information (PHI) for litigation, as permitted or required by the HIPAA Privacy Rule. Subject to certain conditions, the HIPAA Privacy Rule typically permits uses and disclosures of PHI for litigation, whether the litigation takes the form of a judicial proceeding or an administrative proceeding.
When May a HIPAA-Covered Entity Use or Disclose PHI for Litigation?
The HIPAA Privacy Rule permits a HIPAA-covered entity to use and disclose PHI for litigation as follows:
- A covered entity may disclose protected health information in the course of a judicial or administrative proceeding:
- In response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order; or
- In response to a subpoena, discovery request, or other lawful process, that is not accompanied by an order of a court or administrative tribunal, if:
- The covered entity receives satisfactory assurance, from the party seeking the information, that reasonable efforts have been made by that party to ensure that the individual who is the subject of the protected health information that has been requested has been given notice of the request; or
- The covered entity receives satisfactory assurance, from the party seeking the information, that reasonable efforts have been made by that party to secure a qualified protective order.
What is a Qualified Protective Order?
A qualified protective order is an order of a court or of an administrative tribunal (for example, the Federal Energy Regulatory Commission, or the Social Security Administration, which are bodies staffed with judges that interpret administrative law) or a stipulation (agreement) by the parties to the litigation or administrative proceeding, that:
- Prohibits the parties from using or disclosing the protected health information for any purpose other than the judicial or administrative proceeding for which the PHI was requested; and
- Requires the return to the covered entity or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding.
May a HIPAA-Covered Entity Use or Disclose PHI for Litigation as Part of Its Health Care Operations?
Generally, yes. Where a covered entity is a party to a legal proceeding, such as a plaintiff or defendant, the covered entity may use or disclose protected health information for purposes of the litigation as part of its health care operations. The definition of “health care operations” includes a covered entity’s activities of conducting or arranging for legal services to the extent such activities are related to the covered entity’s covered functions – those functions that make the entity a health plan, provider, or clearinghouse – including legal services related to an entity’s treatment or payment functions.
Therefore, for example, a covered entity that is a defendant in a malpractice action or a plaintiff in a suit to obtain payment may use or disclose protected health information for such litigation as part of its health care operations. The covered entity, however, must make reasonable efforts to limit such uses and disclosures to the minimum necessary to accomplish the intended purpose.
Where the covered entity is not a party to the proceeding, the covered entity may disclose protected health information for the litigation in response to a court order, subpoena, discovery request, or other lawful process, as described above.
Are There Other Circumstances Under Which a HIPAA-Covered Entity May Use or Disclose PHI for Litigation?
Depending on the context, a covered entity’s use or disclosure of protected health information in the course of litigation also may be permitted under a number of other provisions of the HIPAA Privacy Rule, including uses or disclosures that are:
- Required by law (as when the court has ordered certain disclosures),
- For a proceeding before a health oversight agency (as in a contested licensing revocation),
- For payment purposes (as in a collection action on an unpaid claim), or
- With the individual’s written authorization.