Wednesday, July 31, 2019
"Med Mal 101: Back to Basics" is 12-part series produced by Friday, Eldredge & Clark. Written by the attorneys in the Medical Malpractice Group, the content will be delivered monthly via email and is designed to give physicians and other healthcare providers information they need to know about malpractice litigation.
Part 7 of 12:
Subpoenas and HIPAA
The Health Insurance Portability and Accountability Act of 1996, (HIPAA) protects an individual’s personal health information (PHI) from unlawful disclosure. [1] When served with a subpoena to provide medical records, a medical care provider must take care to properly honor the subpoena, while also avoiding unlawful disclosure of personal health information.

A subpoena alone may be insufficient to allow disclosure of PHI. Therefore, in most cases, a subpoena for medical records will also include a HIPAA compliant medical authorization signed by the patient. If a subpoena requests medical records and permission from the patient is not clear, it is best to contact an attorney prior to disclosure of records to ensure HIPAA compliance. 

A HIPAA-covered provider may disclose information to a party issuing a subpoena only if the notification requirements of the Privacy Rule [2] are met. Before responding to the subpoena, the provider or plan must receive “satisfactory assurances” that certain steps have been taken to protect the patient’s privacy. [3]  
 Under the statute, a covered entity receives “satisfactory assurances” when the party issuing the subpoena provides a written statement and accompanying documentation demonstrating that:

  1. the party requesting such information made a good faith attempt to provide written notice to the individual;
  2. the notice included sufficient information about the litigation or proceeding in which the protected health information is requested to permit the individual to raise an objection to the court; and
  3. the time for the individual to raise objections has elapsed,[4] and either no objections were filed or the court has already resolved any objections that were raised.[5] 

The statute also describes what a qualified protective order requires. The protective order must have been issued by order of a court or of an administrative tribunal, or by stipulation of the parties to the litigation or administrative proceeding. [6]  A qualified protective order prohibits parties from using or disclosing protected health information for any purpose other than the litigation or proceeding for which such information was requested and requires the return to the covered entity or destruction of the protective health information, including all copies made, at the conclusion of the litigation or proceeding. [7]  

Next month, we will address the discovery process in medical malpractice cases. 

[2] See 45 C.F.R. § 164.512(e).
[4] For more information on time to respond, see Part 6 of our MedMal 101 series.
[5] See 45 C.F.R. § 164.512(e)(1)(iii).
[6] See 45 C.F.R. § 164.512(e)(1)(v).
[7] See 45 C.F.R. § 164.512(e)(1)(v)(A)-(B).  

The information was written by the attorneys in the  Medical Malpractice Group  at Friday, Eldredge & Clark, LLP.

This information is not a substitute for legal advice and should be considered for general guidance only. 

For more information, please contact one of our   Medical Malpractice Attorneys.

Medical Malpractice
Why Back to Basics?
In a recent study published in The American Journal of Surgery, the majority of general surgery residents surveyed felt that they were not aware of resources available to them in case of litigation. [1]

This is an unfortunate statistic since according to the American Medical Association, one in three physicians have been sued at some point in their career, and nearly half of physicians age 55 and older reported having been sued. [2]  

With this series, we will provide medical personnel practicing in Arkansas with a general overview of the legal process. We hope to dispel some common myths and to aid in a better understanding of what actually happens when a medical care provider is sued for malpractice. 
These articles are intended to provide general educational information only and cannot take the place of experienced legal advice.

For a complete schedule of future articles, click here.
[ 1]  Beiqun Zhao, Luis C. Cajas-Monson, & Sonia Ramamoorthy, Malpractice Allegations: A reality check for resident physicians, 217 American Journal of Surgery 350-355 (2019).

[2]  Kevin B. O'Reilly, 1 in 3 physicians has been sued; by age 55, 1 in 2 hit with suit,  The American Medical Association (Jan. 26, 2018).
Medical Malpractice Group

When faced with a medical malpractice claim, healthcare providers require respected, experienced counsel they can trust to defend their practices and reputations. The attorneys in our Medical Malpractice Group are devoted to the defense of physicians, nurses, practice groups and hospitals in malpractice cases, which provides unique insight into the complexities of this type of litigation. 

At Friday, Eldredge & Clark, we are focused on providing our healthcare clients with consistently talented, ethical and efficient representation before state licensing boards and in all stages of litigation though jury trial and appeal. 
Office For Civil Rights Offers Clarification Of Direct Liability for Business Associates Under HIPAA
Published in  Arkansas Medical News   (July/August)

On May 24, 2019, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued clarification on all instances through which a business associate can be held directly liable for compliance with certain requirements of the HIPAA Privacy, Security, Breach Notification and Enforcement Rules (HIPAA Rules).

The HIPAA Privacy Rule and Business Associates

A business associate is a person or organization, other than a member of a covered entity’s workforce that performs certain functions or activities on behalf of, or provides certain services to, a covered entity that involves the use or disclosure of protected health information (PHI). Business associate services to a covered entity are limited to legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation or financial services. However, persons or organizations are not considered business associates if their functions or services do not involve the use or disclosure of protected health information, and where any access to protected health information by such persons would be incidental, if at all.

When a covered entity engages with a business associate, the Privacy Rule requires that the covered entity include certain protections for the information in a business associate agreement. In the business associate agreement, a covered entity must impose specified written safeguards on the individually identifiable health information used or disclosed by its business associates.

Healthcare Attorneys
About the Firm

Friday, Eldredge & Clark, LLP serves business, non-profit, governmental and individual clients in Arkansas and across the United States. It is one of the oldest law firms in the state and has been the largest Arkansas-based law firm for more than 50 years. The firm has practice areas focusing on General Litigation; Class Action and Business Litigation; Railroad; Labor and Employment; Medical Malpractice; Public Finance; Healthcare; Estate Planning and Probate; Employee Benefits; Real Estate and Commercial Transactions; and Merger and Acquisitions. Friday, Eldredge & Clark has offices in Little Rock, Fayetteville and Rogers, Arkansas.
Facebook Join My List Logo