Vol. 76, No. 8, August 2003

Attorney Access To and Use of
Medical Records

by Elizabeth C. Stone

n the years leading up to the April 14, 2003, deadline for compliance with the federal privacy regulations enacted pursuant to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), attorneys representing health care providers and other HIPAA "covered entities" focused their attention on assisting their clients in achieving compliance with the regulations. Now that entities covered by the HIPAA privacy regulations (the "Privacy Rule" or "Rule") are, presumably, operating in compliance with the Rule, those same attorneys - and others who do not represent but do interact with covered entities - will likely be compelled to shift their focus to the ways in which the Privacy Rule may indirectly affect them.¹

Because the Privacy Rule limits the extent to and the manner in which covered entities such as health care providers are permitted to share information with third parties, it will necessarily affect those parties who need to obtain access to information in the hands of those covered entities. Attorneys who represent health care providers, and attorneys who need medical records or other patient information in the course of litigation or other legal matters, will be indirectly affected by the Privacy Rule.

Yet the analysis for attorneys in Wisconsin does not begin and end with the Privacy Rule. Interestingly, existing Wisconsin medical records confidentiality laws are in many ways more restrictive than the Privacy Rule when it comes to attorney access to medical records and in most cases will continue in effect alongside the new federal rules.

The bottom line is that all Wisconsin attorneys, even those practicing outside the realm of health law, should have a basic understanding of how the Privacy Rule interacts with state law and the net effects of that interaction on their access to medical records.

Attorneys and the HIPAA Privacy Rule

Attorney Access to Health Information Under the Privacy Rule. The Privacy Rule applies directly to three distinct categories of "covered entities," the most important category for purposes of this article being the covered health care provider.² A health care provider is subject to the Privacy Rule if it conducts specified types of financial and administrative transactions, such as submitting insurance claims, via electronic means.³ Most hospitals and physician practices, and many nursing homes and other health care facilities, are covered under the Privacy Rule.

The basic purpose of the Privacy Rule is to safeguard the confidentiality of "protected health information" (PHI) in the hands of covered entities. PHI is information in any form or medium - paper, oral, electronic - that relates to an individual's health care and that either directly identifies or can be used to identify the subject individual.⁴ For health care providers, all identifiable patient information collected or created in the course of treating patients constitutes PHI.

The backbone of the Privacy Rule's confidentiality protections is its limitation on the manner in which covered entities are permitted to use and disclose PHI. A "use" under the Rule is the sharing or employment of PHI within a covered entity; a "disclosure," on the other hand, is the sharing of PHI outside a covered entity.⁵ Generally, a covered entity may not use or disclose PHI without first obtaining the subject individual's written consent, known as "authorization."⁶

There are, however, several exceptions to the authorization rule, a few of which prove beneficial to attorneys seeking access to medical information. First, the Rule makes clear that "[c]onducting or arranging for ... legal services" falls within the range of business and management functions of a covered entity known as "health care operations." Covered entities are permitted to use and disclose PHI without authorization when engaged in such functions.⁷ In other words, the Privacy Rule generally permits providers, without authorization, to use PHI, and to disclose it to their attorneys, in order to obtain legal advice and representation. Thus, attorneys representing providers are permitted under the Rule to access their clients' PHI without obtaining authorization. Attorneys seeking records from nonclient providers, however, are not eligible for this exception and thus ordinarily will be required to obtain patient authorization prior to accessing those records.

Second, when records are sought in the course of judicial or administrative proceedings, the Rule permits providers to disclose PHI to their own and other attorneys, without authorization, in response to: 1) a court or administrative order; or 2) subject to certain conditions, a subpoena, discovery request, or "other lawful process."⁸ Third, providers are permitted to share with attorneys, without authorization, any information that has been properly "de-identified," that is, purged of some 18 specified elements of identifying information such that the identity of the subject individual is indiscernible.⁹

The Business Associate Rule. Under the Privacy Rule, attorneys are classified as "business associates" of their covered entity clients.¹⁰ Providers and other covered entities are required, with each of their business associates, to enter into a contract containing specific provisions regarding the permitted uses the business associate may make, and the manner in which the business associate must protect the confidentiality, of any PHI it receives for or on behalf of the provider.¹¹ Importantly, the business associate rule operates whether or not the business associate is performing functions that would require an authorization prior to the provider's disclosure of PHI to the business associate. Thus, for example, even though obtaining legal services is a health care operation that does not require the provider to obtain authorization prior to disclosing PHI therefor, a covered provider nonetheless must enter into a business associate contract with its outside counsel.

Fortunately for law firms and attorneys who serve covered health care providers, these business associate contracts should not fundamentally change the manner in which they handle PHI received from or on behalf of their clients. In general, business associate contracts must prohibit the business associate from using or disclosing PHI in a manner that would violate the Privacy Rule if done by the covered entity; thus, if the Rule would require the provider to obtain authorization prior to using PHI for a certain purpose, then the business associate is likewise required to obtain authorization to use PHI for that purpose. In the case of attorneys, however, because legal representation is a health care operation, most uses and disclosures of PHI made by attorneys in the course of representing their health care clients will not require authorization under the Privacy Rule.

Nonetheless, business associate contracts will impose some new obligations on attorneys with respect to PHI received from or on behalf of their provider clients. Business associate contracts will generally prohibit attorneys from using or disclosing PHI for purposes other than legal representation and require them to: 1) use "appropriate safeguards" to prevent prohibited uses and disclosures; 2) report unauthorized uses and disclosures to the provider client; 3) ensure that any agents or subcontractors to whom PHI is provided agree to the same restrictions and conditions that apply to the business associate with respect to that information; 4) make certain PHI available for inspection and potential amendment by the patient who is the subject of the information; 5) track certain of their disclosures of PHI in the event the patient ever seeks an accounting thereof; 6) open their books and records in the event of a HIPAA audit; and 7) return or destroy all PHI once the attorney-client relationship terminates.¹² The contract will also authorize the provider client to fire the attorney if the- attorney commits a "material breach" of the contract.¹³

In summary, the Privacy Rule generally affords attorneys broad access to PHI in the hands of their provider clients without the need for authorization. Those attorneys, however, are in turn limited and conditioned in their use and disclosure of that information by the business associate contract. On the other hand, attorneys seeking access to records in the hands of nonclients are not subject to business associate requirements but, with only limited exceptions, must obtain authorization in order to access the information in the first place.

Comparing the Privacy Rule to Wisconsin's Patient Records Statute

Wisconsin has enacted its own patient records statute to protect the confidentiality of medical records.¹⁴ Section 146.82 protects the confidentiality of "patient health care records" (PHCR), which are defined as all records prepared by or under the supervision of a health care provider that relate to the health of a patient (excluding mental health and other specific types of medical records that are protected under other statutes).¹⁵ Like the Privacy Rule, section 146.82 applies to health information in a variety of forms, including paper and electronic records; however, section 146.82 is narrower than the Privacy Rule in that it ostensibly applies only to "records" and does not purport to protect medical information that is not "recorded or preserved" in some tangible form.¹⁶ (Hereinafter, the term "PHCR" is used to refer to information protected both under state law and under the Privacy Rule.)

In its applicability, section 146.82 is in some ways narrower and in some ways broader than the Privacy Rule. In contrast to the three types of entities covered by the Privacy Rule, only health care providers are directly subject to section 146.82.¹⁷ However, the Wisconsin law, unlike the Privacy Rule, applies to all health care providers, regardless of whether they engage in electronic financial and administrative transactions. The net result for health care providers is that those that are covered entities under HIPAA will also be subject to state law. Therefore, in sharing PHCR with their attorneys and others, covered providers must follow both the Privacy Rule and state law.

The basic mechanism for privacy protection under the state law is similar to that under the Privacy Rule. Generally, section 146.82 prohibits the release of PHCR without written patient authorization. (Such authorization is termed "informed consent" in the Wisconsin law; hereinafter, the term "authorization" is used to mean both Privacy Rule "authorization" and state law "informed consent.") Unlike the terms "use" and "disclosure" under the Privacy Rule, the term "release" is not defined in the Wisconsin law, but the commonly-held assumption is that the state law regulates only the sharing of information outside the entity, akin to a HIPAA "disclosure."

Like the Privacy Rule, section 146.82 provides exceptions to the authorization rule; however, the exceptions applicable to disclosures to attorneys are narrower than those under the Privacy Rule. Most notably, in significant contrast to the Privacy Rule, state law does not provide a blanket exception for health care operations activities. Thus, section 146.82 does not permit a health care provider, without authorization, to disclose PHCR to outside counsel for purposes of obtaining legal advice and representation.

There are only two state law exceptions that may apply with respect to disclosures of PHCR to outside counsel: 1) when a court order has been obtained; or 2) when the records "do not contain information ... that would permit the identification of the patient."¹⁸ The court order exception is analogous to, but narrower than, the Privacy Rule's exception for disclosures pursuant to a court order, subpoena, or other lawful process. With respect to the deidentification exception, state law is consistent with the Privacy Rule in permitting disclosures of deidentified information but, unlike the Rule, provides no specific guidance on how deidentification is to be achieved.

Though state law contains no analogue to the business associate rule, it does include a provision that generally prohibits recipients of PHCR obtained without authorization from "redisclosing" that information, except as authorized by a court order.¹⁹ Thus, under state law, anyone - attorneys included - who obtains PHCR from a health care provider without authorization (or court order) is prohibited from disclosing it to others, for any purpose.

Practical Implications for Attorneys' Access to and Use and Disclosure of PHCR

Under the Privacy Rule, state medical records confidentiality laws will apply in tandem with the Rule unless the state law is contrary to the Rule, meaning that it would be impossible to comply with both laws. If a state law is deemed contrary to the Rule, whichever law is more stringent will prevail. State law will generally be deemed more stringent than the Rule if it provides greater restrictions on the covered entity's use or disclosure of PHI.²⁰ Because Wisconsin law is stricter than the Privacy Rule in many ways, it often prevails over the Privacy Rule, yielding interesting effects on attorney access to PCHR.

Attorneys' Access to Provider Clients' Records. As noted above, the Privacy Rule permits covered health care providers to disclose PHCR without authorization to their counsel in order to seek legal advice and representation. State law, however, is not so generous; it requires that the provider obtain an authorization before disclosing PHCR even to its own counsel, unless an exception applies. State law, being contrary to and more stringent than the Privacy Rule, will prevail on this issue, and, thus, effectively, outside counsel are not permitted to access their clients' PHCR without the individual patient's authorization unless an exception recognized under both state law and the Privacy Rule applies.

Two possible exceptions may apply. While the Privacy Rule would allow disclosures in administrative/judicial proceedings in response to a court order, subpoena, or other lawful process, state law allows such disclosures only in response to court orders, with the net result that Wisconsin providers are afforded an exception for court orders only. The other possible exception is for deidentified information, as to which the Privacy Rule and state law are generally consistent, except that the Rule is more specific as to what constitutes deidentified information, with the result that the Privacy Rule definition of deidentification will prevail. The first column of Figure 1 sets forth the three primary options for outside counsel seeking access to their provider clients' PHCR: 1) authorization; 2) court order; and 3) deidentification.

Once the attorney has obtained the records under one of these three options, the Privacy Rule's business associate requirements and the state law redisclosure prohibition will affect the manner in which the attorney is permitted to further use and disclose the records. As illustrated in Figure 1, an attorney who has obtained records pursuant to an authorization is limited in his or her use and disclosure of those records only to the extent of any limitations in the business associate contract; the state law redisclosure prohibition does not apply when an authorization has been obtained. In practical effect, since the business associate contract will generally permit the attorney to use and disclose PHCR for purposes of providing legal representation, once the attorney has obtained PHCR pursuant to an authorization, the attorney may use and disclose PHCR in the legal matter (to cocounsel, in court papers, to witnesses, for example) without restriction. Note, however, that the attorney will be required to obtain a business associate-like contract with any agents or subcontractors (such as expert witnesses and court reporters) to whom PHCR are disclosed in the course of the representation.

Figure 1 also depicts the implications of obtaining PHCR by court order or deidentification. A court order might be obtained, for example, if a plaintiff in a medical malpractice lawsuit refused to sign an authorization permitting the disclosure of the defendant health care provider's PHCR to the provider's attorneys. The court order might simply direct the plaintiff to sign an authorization; if so, once the authorization has been obtained, the attorney is permitted to access the records and to use and disclose them just as if the authorization had been obtained without a court order. On the other hand, the court might simply issue an order permitting the provider to disclose the plaintiff's records to its counsel. In this scenario, the attorney would be bound in her uses and disclosures of the records not only by her business associate obligations but also by the terms of the court order. Further, unless the court order specifically permitted the attorney to disclose records in the course of the litigation, the state law redisclosure prohibition would prohibit the attorney from doing so. Thus, when attorneys are compelled to seek a court order, they are well advised to seek an order directing the individual to sign an authorization or, at the very least, to ensure that the court order permitting the provider to disclose records also contains sufficient provisions allowing the attorney to further use and disclose the records in the course of the legal matter.

Finally, there is the deidentification option. Deidentified records may or may not be of use to an attorney, depending on the circumstances. When a lawsuit has been filed against the provider and the attorney needs access to the plaintiff's medical records, deidentification is, of course, impossible. On the other hand, if a provider is seeking quick advice from its attorney, for example, on how to handle a problem with a particular patient, the attorney may not need identifiable records to make a recommendation. Under the Privacy Rule, information that has been deidentified is simply not subject to any of the Rule's protections; thus, deidentified information in the hands of a business associate is not subject to the protections of the business associate contract. Therefore, as reflected in Figure 1, when an attorney has obtained deidentified records, she is permitted to use those records without restriction under the Privacy Rule. State law likewise imposes no restriction on the use. However, the state law redisclosure prohibition apparently continues to apply, the net result being that attorneys who obtain deidentified records from their clients are permitted to use those records but are prohibited under state law from disclosing them to anyone else.

In-house Counsel's Access to Client Records. Because state law regulates only external disclosures, it imposes no restrictions on the provider's sharing of PHCR with its own in-house counsel. The Privacy Rule does regulate such information sharing as a "use"; however, because this type of use is considered a health care operation, the Privacy Rule, like state law, does not require authorization. In sum, a provider wishing to share PHCR with its in-house counsel may do so without authorization. Similarly, in-house attorneys, as employees of the covered entity, may use these PHCR, once obtained, without authorization under both the Privacy Rule - because the use is a health care operation - and state law - which does not regulate internal uses. By contrast, disclosures by in-house counsel - though permitted without authorization under the Privacy Rule as part of health care operations - are regulated by state law, and will require authorization - or a court order or deidentification - to enable the disclosure. This analysis is illustrated in Figure 2. As employees of the covered entity, in-house counsel are not subject to business associate contracts, nor are they considered recipients for purposes of the state law redisclosure prohibition.²¹

Stone Elizabeth C. Stone, Duke 1997, is an associate in the Madison office of von Briesen & Roper s.c. in the firm's Health Care Practice Group. She practices in health care issues, with a focus on regulatory compliance, including HIPAA. She formerly was an attorney in the U.W.-Madison Office of Administrative Legal Services, where she represented the U.W. Medical School, focusing on health care regulatory compliance and physician risk management.

Attorneys' Access to Records of Nonclient Providers. As depicted in Figure 3, the analysis with respect to attorneys seeking PHCR from sources other than their own clients is almost identical to the analysis for outside counsel seeking access to client PHCR, with one important distinction. An attorney will never enter into a business associate contract with a nonclient - for the simple reason that no business associate relationship exists - and thus the attorney who obtains PHCR from a nonclient will not be bound by any business associate contract requirements. Thus, ironically, applying the Privacy Rule in combination with state law, the restrictions on outside attorneys' ability to further use and disclose PHCR are actually greater when the attorney obtains information from her own client than when she obtains records from someone else.

Pointers and Conclusions

As is likely evident from the above discussion, attorneys - with the exception of in-house counsel - seeking access to PHCR from clients or others are best served by obtaining the subject individual's authorization if at all possible. Obtaining authorization is usually less burdensome than seeking a court order, and the information obtained thereby will be more useful than deidentified information. In addition, obtaining authorization will vitiate the state law redisclosure prohibition and thus provide more latitude to the attorney to use and further disclose the information.

In seeking access to medical information, attorneys should expect many providers to require the use of the provider's own authorization form. Virtually all providers covered by the Privacy Rule are likely by now to have revised their forms (previously known in the vernacular as "medical release" forms) to incorporate the Privacy Rule's required elements into their already state law-compliant forms. Because of providers' anxiety regarding HIPAA compliance, they are likely to reject an unfamiliar form in favor of their own forms, the HIPAA integrity of which is not in doubt. Attorneys with long-standing relationships with provider clients may wish to work with these clients to create a standard authorization form specific to the attorney or law firm. Attorneys who will seek to obtain medical records from nonclients and who will attempt to use their own forms should draft those forms to be compliant with both the Privacy Rule and all relevant state law.

Given the Privacy Rule's recent inception, it is anyone's guess as to how strictly it will be enforced. Judging from the dearth of reported case law, it seems that enforcement of section 146.82 historically has been relatively lax. Whether such laxity will remain the norm in this era of heightened federal attention to privacy issues and increased public awareness about privacy remains to be seen. The upshot is that, for a variety of reasons, all attorneys should make every effort to understand the requirements of and comply with their obligations under both existing Wisconsin law and the new federal Privacy Rule.

Endnotes

¹45 C.F.R. parts 160 and 164.

²The other two categories of covered entities are health plans, such as health insurance companies and HMOs, and health care clearinghouses, organizations that process and reformat health information for providers and health plans. 45 C.F.R. §§ 160.102, 164.104.

³45 C.F.R. §§ 160.102, 164.104.

⁴45 C.F.R. § 160.103 (definition of "protected health information"). Note that the definition of PHI specifically excludes employment records and certain federally regulated education records.

⁵45 C.F.R. § 164.501 (definitions of "use" and "disclosure").

⁶45 C.F.R. § 164.508(a)(1). A valid authorization must contain nine specified elements. § 164.508(c).

⁷45 C.F.R. § 164.501 (definition of "health care operations"); §§ 164.502(a)(1)(ii), .506.

⁸45 C.F.R. § 164.512(e).

⁹45 C.F.R. §§ 164.502(a)(1)(vi), .514(a), (b)(2). There are a few other exceptions that may apply in specific circumstances, such as in worker's compensation cases and when disclosures are required under other applicable laws. § 164.512(a), (l).

¹⁰45 C.F.R. § 160.103 (defining "business associate" as one who performs business functions or activities involving PHI for or on behalf of a covered entity).

¹¹45 C.F.R. §§ 164.502(e), .504(e).

¹²45 C.F.R. § 164.504(e)(2).

¹³45 C.F.R. § 164.504(e)(2)(iii).

¹⁴Wis. Stat. §§ 146.81-.84.

¹⁵Wis. Stat. §§ 146.82(1), .81(4). It should be noted that the conclusions herein may not apply to records subject to these other state laws, such as section 51.30 (mental health/substance abuse records) and section 252.15 (AIDS/HIV records).

¹⁶Wis. Stat. § 146.836.

¹⁷Though the statute does not contain an explicit statement regarding its applicability, it becomes clear from reading section 146.82 and surrounding sections that its intent was to regulate providers. See Wis. Stat. § 146.81(4) (defining "patient health care records" as records prepared by a "health care provider"); § 146.81(2)(c) (envisioning that "health care providers" will be seeking consent to release records). See also the use of the term "provider" in section 146.82(2)(a)5., 6., 7., and 11., and (2)(d).

¹⁸Wis. Stat. § 146.82(2)(a)4., 20.

¹⁹Wis. Stat. § 146.82(2)(b).

²⁰See 45 C.F.R. §§ 160.203 (preemption rules), .202 (definitions of "contrary" and "more stringent").

²¹It should be noted that this analysis would change if state law were construed to cover internal uses as well as external disclosures. Under this alternative construction, in-house counsel would be regulated in exactly the same manner as outside counsel, and the conclusions reflected in Figure 1 and discussed in the article would apply equally to in-house as well as to outside counsel.

Wisconsin Lawyer