Those who handle litigation that involves the need to obtain patient information from healthcare providers may be interested to know that the federal Department of Health & Human Services has issued new Frequently Asked Questions for HIPAA Privacy addressing the permissible use and disclosure of PHI (protected health information) in the context of litigation. The new FAQs can be found here and answer the following important questions:
- May a covered entity that is a plaintiff or defendant in a legal proceeding use or disclose protected health information for the litigation?
- May a covered entity that is not a party to a legal proceeding disclose protected health information in response to a subpoena, discovery request, or other lawful process that is not accompanied by a court order?
- May a covered entity use or disclose protected health information for litigation?
- What “satisfactory assurances” must a covered entity that is not a party to the litigation receive before it may respond to a subpoena without a court order?
- When must a covered entity account for disclosures of protected health information made during the course of litigation?
- For disclosures for judicial and administrative proceedings, when is a copy of the subpoena itself sufficient satisfactory assurance of notice to the individual?
- For disclosures for judicial and administrative proceedings, can notice be provided to the individual’s lawyer instead of the individual?
- May a covered entity disclose protected health information in response to a court order?
- In providing legal services to a covered entity, must a lawyer who is a business associate require that those persons to whom it discloses protected health information agree to abide by the privacy restrictions and conditions that apply to the lawyer?