When Covered Entities or Business Associates or their counsel analyze whether a particular disclosure of Protected Health Information (or “PHI,” as defined in HIPAA) is permissible, they should be sure also to analyze whether the disclosure complies with HIPAA’s Minimum Necessary Rule (“MNR”), which is oft forgot. This issue arises when disclosing PHI in response to subpoenas, which HIPAA permits as long as the disclosing party receives satisfactory assurances that the requesting party has made reasonable efforts to obtain a protective order or to notify the individual(s) who is/are the subject of the disclosure and provide them with an opportunity to object. 45 CFR 164.512(e).
Set forth at 45 CFR § 164.502(b)(1), the MNR states:
When using or disclosing protected health information or when requesting protected health information from another covered entity or business associate, a covered entity or business associate must make reasonable efforts to limit protected health information to the minimum necessary to accomplish the intended purpose of the use, disclosure, or request.
The MNR does not apply in situations where it either does not protect the individual (such as when the disclosure is to the patient herself or to the OCR for investigatory or compliance purposes) or where the burden of compliance is outweighed by the purpose of the disclosure (such as when the disclosure is for treatment purposes). None of the MNR exceptions (the complete list is at 164.502(b)(2)) is implicated in the routine subpoena/court order context.
This means that a Covered Entity (or its counsel) should not simply copy the entire patient record pertaining to the issue before the court without ensuring that it only includes information minimally necessary to accomplish the intended purpose of the disclosure, which here would be to comply with the subpoena by disclosing the requested records, provided they are relevant. So, in one sense, the general relevance standard in litigation and the MNR are the same, and ordinarily if the information disclosed includes strictly relevant information, including PHI, the MNR should be satisfied.
On the other hand, unlike the general relevance standard, which does not prohibit a party from disclosing irrelevant information, the MNR explicitly prohibits disclosure of irrelevant PHI because such would not further the intended purpose of the disclosure. Therefore, under certain circumstances, it would seem that a Covered Entity responding to a subpoena could risk HIPAA sanctions by running afoul of the MNR for disclosing certain irrelevant PHI, but not be at risk of consequences related to breaching the plaintiff’s privacy. For example, in the routine slip-and-fall case, what if the treating physician recorded in the “social history” section of the history and physical examination that the plaintiff has a history of alcoholism, substance abuse or mental illness, all of which turns out to be responsive to the subpoena, but ultimately is determined to be irrelevant to the litigation. If the Covered Entity hospital had not redacted those references, the plaintiff will not likely be able to successfully sue the hospital for breach of privacy or emotional distress for improperly disclosing the PHI because it did so properly in response to the subpoena. For the same reason, the plaintiff could not succeed with a private right of action under state law (HIPAA not having a private right of action). However, the Covered Entity has probably violated the MNR and could face OCR scrutiny and possible penalties.
You can imagine how this could play out where, say, the defendant in the slip-and-fall case, a convenience store owner, happens to be a family friend, employer, neighbor or worse—an enemy—of the patient. If the store-owner’s attorney gave appropriate notice to the patient/plaintiff, she could not object because she filed a suit about which her health condition is now at issue, and she probably would not object anyway because she probably would not be thinking about that information being in her record or that her friend or enemy might see it. Or perhaps the subpoenaing attorney obtained a protective order. Either way, the hospital would provide the records to him, and his client could then easily learn about the plaintiff’s embarrassing social history, and she would have little recourse for damages other than the satisfaction of learning about whatever penalties the OCR may ultimately assess against the hospital.
How would you handle it?
Additional posts related to HIPAA