September-October 2018

HIPAA in the county and district attorney’s world

Lisa L. Dahm, LLM-Health

Assistant County Attorney and Privacy Officer in Harris County

Mention the Health Insurance Portability and Accountability Act of 1996,1 otherwise known as HIPAA, to someone in law enforcement or a county or district attorney’s office and you’ll likely receive one of a few responses: “[expletive deleted],” “I don’t have to worry about HIPAA because it doesn’t apply to me,” or “I can’t ever get the medical records I need without a fight!” It’s often accompanied by changes in a person’s physical appearance: redness of the face and neck, clenched fists, increased and rapid heart rate, and an unwavering glare. You can’t help but wonder which of these responses is correct.
    Whether you’re in law enforcement or in a prosecutor’s office, I hope this article will help dispel common misunderstandings about HIPAA and clarify its actual requirements when it comes to making sure everyone can effectively do his or her own job. While I initially thought I could limit this article to HIPAA only, there are several Texas laws that must also be included and addressed, especially because one of the most frequent questions I hear from Texas prosecutors is, “What must my office do to comply with HIPAA?”
    It’s been my experience that it’s easier to learn something when you see how it applies in the real world, so this article presents a fairly straightforward hypothetical about health information and then analyzes the issues it presents under HIPAA’s Privacy Rule and several relevant Texas confidentiality statutes. It concludes with a “final answer” for each issue as to whether and how health information can be disclosed, plus what the requestor’s office must do to comply with HIPAA and with Texas law.

The hypothetical
An assistant district attorney (ADA) is preparing his burglary case against a defendant. He issues a subpoena to the county hospital requesting the defendant’s medical records; she had cut her arm on the glass door of a house she had broken into (allegedly to burgle) as she tried to flee from the homeowner. The homeowner heard someone breaking into her house and immediately called the police. The homeowner then chased the defendant into the backyard, tackled her to the ground, and held her until police arrived. The defendant was taken to the county hospital for treatment for her injuries and was then taken to the county jail.
    The ADA also sends a subpoena for the homeowner’s medical records to the hospital where she was treated for cuts and bruises she sustained during her fight with the defendant.
    Important questions about the case:
•    May the ADA get the defendant’s medical records from the county hospital?
•    May the ADA get the homeowner’s medical records from the other hospital?
•    If the ADA obtains copies of the medical records he’s requested, must he protect the confidentiality of those records or take any special precautions with respect to handling or disposing of them?

The defendant’s medical records. When the defendant was taken to the county hospital, she was treated like any member of the general public who presents for treatment: She was registered as a patient in the emergency room and received treatment for her injuries, and that treatment was recorded in detail in her medical record. She was then discharged back to the police for transport to the county jail.
    When the county hospital receives a request for the defendant’s health information, the county hospital has an obligation (as a covered entity under both HIPAA and Texas law) to protect it. HIPAA applies only to “covered entities”: 1) health plans, 2) healthcare clearinghouses, and 3) healthcare providers that transmit health information electronically in connection with HIPAA-defined transactions.2 Under Texas Health & Safety Code Chapter 181, aka “Texas’s HIPAA,” the term “covered entity” is broader, covering not just those individuals and entities, but also any individual or entity that comes into possession of health information. Therefore, the county hospital must determine 1) whether HIPAA’s Privacy Rule or Texas law will control the release of this individual’s records in this situation, and 2) whether that law requires or permits the county hospital to produce the requested medical records to the ADA in accordance with a subpoena, or whether the county hospital must obtain the defendant’s permission first.
    It’s important to understand that, unlike most federal laws, HIPAA does not always pre-empt state law. HIPAA will pre-empt a provision of state law only when the state law is both contrary to and less stringent than HIPAA.3 Texas has a number of very specific statutes that deal with health information, and in several cases, Texas law is both contrary to and more stringent than HIPAA’s Privacy Rule, so the county hospital must examine both HIPAA’s Privacy Rule and the appropriate Texas law to determine which will control in this situation. For a comprehensive pre-emption analysis of Texas law that is routinely updated, see the Texas AG Preemption Analysis.4
    HIPAA’s Privacy Rule does not specifically address “releasing an individual’s medical records to an ADA pursuant to and in accordance with a subpoena.” However, HIPAA’s Privacy Rule includes several potential exceptions that might apply so that a “covered entity,” such as a hospital, need not obtain an individual’s authorization before releasing that person’s medical records to an ADA:
    1)    disclosures for judicial and administrative proceedings;5
    2)    disclosures for law enforcement purposes;6 and
    3)    disclosures to avert a serious threat to health or safety.7
    Of these three potential exceptions, the one most likely to apply in this particular situation is the judicial and administrative proceeding exception. Covered entities may disclose protected health information (usually referred to as PHI) “in the course of any judicial or administrative proceeding,” in response to a court order or to a subpoena that is not accompanied by a court order if the covered entity “receives satisfactory assurance” that the subject of the PHI has been given notice of the request or that the requestor has made reasonable efforts to secure a qualified protective order for the PHI.8 The covered entity may also release the records pursuant to the ADA’s subpoena without receiving satisfactory assurance if the covered entity asks the defendant to authorize the release or the covered entity obtains a qualified protective order that includes the required elements.9
    Confidentiality of hospital medical records is governed under Texas Health & Safety Code §241.151 et seq., and Texas Health & Safety Code §241.153(20) specifically addresses when a hospital can release an individual’s medical records to an ADA. Texas Health & Safety Code §241.153(20) provides not only that a hospital may release a patient’s records if the disclosure is “related to a judicial proceeding in which the patient is a party and the disclosure is requested under a subpoena issued under … the Texas Code of Criminal Procedure,” but also that the hospital may disclose those records without obtaining the patient’s authorization.10
    According to the Texas AG Preemption Analysis, Texas Health & Safety Code §241.153(20) is related but not contrary to HIPAA’s Privacy Rule so it is not pre-empted.11 In this hypothetical situation, the county hospital can—and must—comply with both laws. Applying the judicial and administrative proceeding exception of HIPAA’s Privacy Rule, the county hospital need not obtain authorization from the defendant, although it might seek one from her or notify her that the ADA has requested her records. Under Texas law, too, the county hospital can release the requested medical records to the ADA without having to obtain an authorization from the defendant, provided that the ADA’s subpoena is signed by the clerk of the criminal district court in which the defendant will be tried.12
    In reality, however, while the county hospital is permitted to release the requested medical records solely because the ADA’s subpoena is valid, it is important to note that 1) such a disclosure is not mandated, it’s only allowed;13 and 2) occasionally, Texas hospitals will also require the ADA to provide a “HIPAA letter” or a “HIPAA affidavit” in addition to a subpoena before they will release the requested medical records. The HIPAA letter or affidavit sets forth the conditions that must be met under HIPAA’s Privacy Rule’s law enforcement purposes exception before the covered entity can release an individual’s PHI without first obtaining the individual’s authorization to law enforcement.14 The subpoena must specify that the information being requested is “relevant and material to a legitimate law enforcement inquiry,” that the subpoena is limited in scope and that “[d]e-identified information could not reasonably be used.” Covered entities that require HIPAA letters or affidavits in addition to valid subpoenas are in essence ensuring that their disclosure could be found proper under two exceptions to HIPAA’s Privacy Rule.

The homeowner’s medical records. While the ADA can obtain the defendant’s medical records without her written authorization under both HIPAA’s Privacy Rule and Texas law, the hospital at which the homeowner was treated will not be able to provide her medical records to the ADA until the homeowner authorizes their disclosure. In the ADA’s case against the defendant, the homeowner is a victim, not a party, so the exception allowed under Texas Health & Safety Code §241.153(20) does not apply to her.
    HIPAA’s Privacy Rule’s disclosure to law enforcement for law enforcement purposes exception does not apply either because it allows a covered entity to disclose only information that will be used to identify and/or locate a “suspect, fugitive, material witness, or missing person,”15 not a victim like the homeowner. Even if the homeowner is a “material witness,” as in our hypothetical, the exception does not apply because the ADA already has her identity and knows where she lives. Therefore, HIPAA’s Privacy Rule prohibits the hospital from disclosing the homeowner’s entire medical record or even just the portion that documented her treatment for injuries she sustained during the fight with the defendant. HIPAA limits the information that can be disclosed for identification and location purposes solely to the individual’s name, address, date and place of birth, Social Security number, blood type and Rh factor, type of injury, and any distinguishing physical characteristics (such as height, weight, gender, race, hair and eye color, facial hair, scars, and tattoos).16
    Additionally, HIPAA’s Privacy Rule’s judicial and administrative proceedings disclosure exception would apply only if the homeowner is notified of the request and a protective order is obtained for her records. Thus, the ADA will need to contact the homeowner directly and ask her to execute a valid HIPAA Authorization that will allow the hospital to release her medical records to him. Such authorization must include the following core elements:
    1)    a detailed description of the information that is being requested;
    2)    the name of the individual or entity that has possession of the information;
    3)    the name of the individual or entity to which the information is to be disclosed;
    4)    the purpose for which the information is to be disclosed;
    5)    an expiration date or event; and
    6)    the individual’s signature and date signed or, if signed by someone other than the individual, the signature of that individual, the date she signed, and a description of the authority of that individual to act on behalf of the individual.
    A valid HIPAA Authorization must also include three statements:
    1)    that the individual has the right to revoke her authorization at any time;
    2)     that signing the authorization was not a condition of the individual’s obtaining treatment, payment, enrollment, or eligibility for benefits; and
    3)    that if the authorized recipient of the individual’s PHI re-discloses that information, the individual cannot hold the covered entity liable for the re-disclosure.17
    Many covered entities prefer (or require) the requestor to use the covered entity’s HIPAA Authorization. In some cases, the reason for this requirement is because the employees responsible for confirming an authorization is “valid,” as required by HIPAA’s Privacy Rule, are unfamiliar with forms other than those on which they have received training.

The ADA’s duties to these medical records. Neither the ADA nor his office is a “covered entity” under HIPAA, so neither the ADA nor the prosecutor’s office needs to comply with HIPAA’s Privacy Rule. However, the office is a covered entity under Texas law;18 thus, it must comply with Texas Health & Safety Code Chapter 181. Texas Health & Safety Code Chapter 181, also known as “Texas’s HIPAA,” contains significantly fewer provisions than HIPAA’s Privacy Rule, and there are three major differences between the two:
    1)    the definition of “covered entity” (defined above),
    2)    the training that is required, and
    3)    permitted uses and disclosures.
    Texas’s HIPAA’s “covered entity” is defined as any person who handles PHI, including a business associate, healthcare payer, governmental unit, information or computer management entity, school, health researcher, healthcare facility, clinic, healthcare provider, or person who maintains an Internet site.19 Texas’s definition is far broader than HIPAA’s.
    As far as required training goes, the prosecutor’s office must provide training “regarding the state and federal law concerning protected health information as necessary and appropriate for the employees to carry out the employees’ duties.”20 Note that HIPAA’s Privacy Rule requires training of the covered entity’s entire workforce, whereas Texas’s HIPAA requires training only the entity’s employees.21 Neither HIPAA’s Privacy Rule nor Texas Health & Safety Code Chapter 181 specify how frequently training must be conducted, only that it be provided “as necessary and appropriate” for individuals to carry out their duties for the covered entity, but most covered entities conduct HIPAA Privacy training annually.22 Prosecutors who need training on HIPAA or Texas’s HIPAA have a couple of options.23
    The office must also have each employee sign a statement that he or she has attended the training and must maintain all of the signed statements “until the sixth anniversary of the date [each] statement is signed.”24
    Unlike HIPAA’s Privacy Rule, which describes in some detail what a covered entity can do with PHI and how the covered entity must do it, the primary focus of Texas’s HIPAA is on what the covered entity is prohibited from doing with PHI.25 Under Texas’s HIPAA, the prosecutor’s office’s sole affirmative obligation to the individuals whose PHI is obtained by and stored in the office is to notify them that their PHI is subject to electronic disclosure.26 Nonetheless, the fact that the prosecutor office is required to conduct training that addresses both state and federal law could be interpreted to mean that Texas covered entities are expected to protect the PHI in their possession. The Texas Attorney General is responsible for enforcing Texas Health & Safety Code Chapter 181 and has the power to seek injunctive relief and impose civil penalties against a Texas covered entity for a violation of the law. In addition, §181.202 provides that “a covered entity that is licensed by an agency of this state is subject to investigation and disciplinary proceedings, including probation or suspension by the licensing agency.” While the likely intent of the Texas Legislature was that §181.202 would apply only to covered entities that were licensed healthcare individuals and entities, the section could also be interpreted to include attorneys who use and/or access PHI. While state attorneys general can enforce HIPAA, it is not common—only four have ever done it, and Texas’s AG has never taken any such action.
    Evaluating and adopting the relevant administrative requirements in HIPAA’s Privacy Rule27 would certainly help the prosecutor’s office demonstrate it had taken “reasonable steps” to protect the PHI in its possession.

Discovery in criminal cases
Many prosecutors reading this article may wonder what, if anything, they must do to protect the health information they obtain given their discovery obligations under the Michael Morton Act.28 The good news is, provided that the ADA has properly obtained that information in accordance with HIPAA’s Privacy Rule and with Texas law, and provided that the prosecutor’s office has implemented “reasonable steps” to protect the health information in its possession, health information need not be treated any differently from any other documents, papers, or written or recorded statements related to the criminal case during discovery.  
    The ADA is not a covered entity under HIPAA’s Privacy Rule, so the prosecutor is free to disclose health information without regard to HIPAA’s Privacy Rule. The ADA is a covered entity only under Texas’s HIPAA, and Texas’s HIPAA does not prohibit the ADA from re-disclosing health information, only from selling it, using the health information for marketing purposes, or re-identifying the individual from the health information.29 Because disclosing the health information in accordance with the Michael Morton Act is not one of the prohibited disclosures under Texas’s HIPAA, prosecutors should not be concerned about potential enforcement activities, either under HIPAA or under Texas’s HIPAA, with respect to their providing health information to the defense during discovery in accordance with the Michael Morton Act.

Conclusion
HIPAA’s Privacy Rule, and to an extent Texas law, requires covered entities to protect the health information in their possession, and these laws subject those covered entities to significant civil and criminal penalties30 if they fail. Covered entities rightly fear being held liable for those penalties, so they take extra care to ensure that every disclosure is proper, which occasionally makes even the simplest release take longer than it should.
    Law enforcement and prosecutors should recognize they’re more likely to receive the health information they request when they 1) convey their identity and the fact that they have the authority to obtain the information, 2) describe their reason for needing the information (i.e., describe the purpose of the disclosure), 3) ensure that the facts and circumstances of their request meet the criteria of an authorized disclosure, and 4) make their request in a professional and respectful manner. And when law enforcement and prosecutors come into possession of health information, they must recognize that Texas law imposes an obligation on their employers to properly train employees and take “reasonable steps” to protect and safeguard that information.

Endnotes

Please note: The views and opinions expressed in this paper are those of the author and do not necessarily reflect the official policy or position of Harris County.

1  Pub. L. No. 104-191, 110 Stat. 1396 (1996).

2  See 42 U.S.C. §1320d-1(a). See also 45 C.F.R. §160.103.

3  See 45 C.F.R. §160.200 et seq.

4  Find it at https://www.texasattorneygeneral.gov/files/agency/hipaa.pdf.

5  45 C.F.R. §164.512(e).

6  45 C.F.R. §164.512(f). Disclosures that are allowed for law enforcement purposes are to be made to a law enforcement official 1) pursuant to laws that require reporting of certain types of wounds or injuries; 2) pursuant to court orders, court-ordered warrants, or a subpoena or summons signed by a judicial officer; 3) provided the information disclosed is limited and will be used only to locate and/or identify a suspect, fugitive, material witness, or missing person; 4) when the individual is suspected to be a victim of a crime; 5) to advise law enforcement that a decedent might have died as a result of criminal conduct; 6) to report a good faith belief that a crime was committed on the covered entity’s premises; or 7) to report a real or suspected crime in an emergency.

7  45 C.F.R. §164.512(j). Disclosures that are allowed to avert a serious threat to health or safety may be made to “prevent or lessen a serious and imminent threat to the health or safety of a person or the public” or “[i]s necessary for law enforcement authorities to identify or apprehend an individual.”

8 45 C.F.R. §164.512(e)(1).

9  45 C.F.R. §164.512(e)(1)(vi).

10  Texas Health & Safety Code §241.153(20).

11  Texas AG Preemption Analysis, supra note 6, at 225.

12  Tex. Code Crim. Proc. Art. 24.03. Because the defendant is the individual on trial, she is a “party to the judicial proceeding” as required for the county hospital to release her records to the ADA under Texas Health & Safety Code §241.153(20).

13  Texas Health & Safety Code §241.153.

14  See 45 C.F.R. §164.512(f)(1)(ii)(C).

15  See 45 C.F.R. §164.512(f)(2).

16  Id.

17  45 C.F.R. §164.508(c)(1)–(2).

18  Texas Health & Safety Code §181.001(b)(2)(B).

19  Id.

20  Texas Health & Safety Code §181.101(a).

21  See 45 CFR §164.530(b)(1); Texas Health & Safety Code §181.101(a).

22  See Daniel J. Solove, HIPAA Training Requirements, Frequently Asked Questions, Teach Privacy, available at https://teachprivacy.com/hipaa-training-requirements/ (last visited July 31, 2018).

23  This article’s author has recorded two different videos accredited for MCLE hours through the Texas Bar. One is a 45-minute video on HIPAA only; it’s available at http://www.harriscountycao.org/hipaa-training-program. The other is a 75-minute video at http://www.harriscountycao.org/hipaa-181-training; it covers both HIPAA and Texas’s HIPAA. Each one has a link to YouTube in case the video can’t be viewed through the Harris County website. There’s also a form at the bottom of each page that viewers can complete to receive MCLE hours.

24  Texas Health & Safety Code §181.101. HIPAA’s Privacy Rule requires those statements be maintained for a minimum of “six years from the date [the statement is signed].” 45 CFR §164.530(j)(2).

25  See Texas Health & Safety Code, Chapter 181, Subchapter D. A covered entity cannot 1) re-identify or attempt to re-identify an individual based on his or her PHI unless the covered entity obtains the individual’s consent or authorization; 2) use PHI for marketing purposes; or 3) sell PHI for direct remuneration. A covered entity is also prohibited from electronically disclosing an individual’s PHI without first obtaining his or her authorization unless the disclosure is for purposes of treatment, payment, or healthcare operations. Note that legal offices are not “custodians” of the records they receive for case preparation, so they are not bound by the authorization requirement. In the electronic service of medical records filed with the court for use at trial, I strongly recommend that both the State and defense counsel file a joint protective order to protect medical records from everyone but the lawyers, the parties, and the court.

26  Texas Health & Safety Code §181.154(s).

27  See 45 C.F.R. §164.530. Besides training, the most relevant administrative requirements to consider would be the Safeguards Standard (45 C.F.R. §164.530(c)(1)), Sanctions Standard (45 C.F.R. §164.530(e)(1)), and Policies and Procedures Standard (45 C.F.R. §164.530(i)(1)).

28  See Tex. Code Crim. Proc. Art. 39.14.

29  See supra, note 25.

30  A detailed description of HIPAA’s civil and criminal penalties is beyond the scope of this article. See 42 U.S.C. §1320d-5 for a description of HIPAA’s civil penalties, and see 42 U.S.C. §1320d-6 for a description of HIPAA’s criminal penalties. See also Texas Health & Safety Code, Chapter 181, Subchapter E for a description of the Texas Attorney General’s enforcement powers under Texas’ HIPAA.