HIPAA. It's a dirty word
right now in the minds of Arkansas trial lawyers. Mention
it to a personal injury lawyer and she might rattle
off some unintended expletives or get on her soap box
about useless government regulations. You see, she's
been trying to retrieve medical records from various
hospitals across the State over the last year using
the same forms and methods she has always used, only
to be met with denial after denial based upon each medical-care
provider's interpretation of that strange animal we
call "HIPAA" HIPAA stands for the Health Insurance
Portability and Accountability Act of 1996. Although
passed in 1996, its regulations did not become effective
until April 2003. Over the last year, Arkansas lawyers
and medical-care providers have been doing their best
to chart a course through HIPAA's foggy regulations.
The goal of HIPAA is,
of course, to ensure that a medical patient's privacy
rights are not violated in this age of information.
Whether HIPAA meets this goal or not is a matter of
opinion. But most Arkansas lawyers agree that what was
once a matter of course has become a game of chance:
when you send your standard request for medical records,
you never know what you will get in return.
Here are a few suggested
methods to ensure that you receive the medical records
you need.
1) Have the patient
execute a HIPAA-compliant authorization.
"HIPAA compliant"
is the key terminology. The old, one-paragraph authorization
for release of medical records you may have been using
for the past 20 years no longer works. If you know the
medical care provider from which you need information,
make a preliminary phone call. Ask the provider if it
has an authorization form it prefers. Most providers
are comfortable with their own forms. It is therefore
highly unlikely that a provider will object to your
request made through a form it supplied.
If you choose to draft
your own form, you must include the "core elements"
of a HIPAA-compliant authorization. The "core elements"
are these:
a) A description of the
information to be used or disclosed that identifies
the information
in a specific and meaningful fashion;
b) The name or other specific
identification of the person(s), or a class of persons,
authorized to make the requested use or disclosure;
c) The name or other specific
identification of the person(s), or class of persons,
to whom the covered entity may make the requested use
or disclosure;
d) An expiration date
or an expiration event that relates to the individual
or the purpose
of the use or disclosure;
e) A statement of the
individual's right to revoke the authorization in writing
and the
exceptions to the right to revoke, together with a description
of how the individual
may revoke the authorization;
f) A statement that the
information used or disclosed pursuant to the authorization
may be subject to redisclosure by the recipient and
no longer be
protected by this rule;
g) Signature of the individual
and date; and
h) If the authorization
is signed by a personal representative of the individual,
a description
of such representative's authority to act for the individual.1
It is that easy. So long
as you include the core elements and have the authorization
properly executed, you should receive the requested
records with no objections. A sample authorization form
that complies with these requirements accompanies this
article.
2) Issue a legally
enforceable subpoena duces tecum.
In 2001, the Arkansas
Supreme Court amended Rule 45 of the Arkansas Rules
of Civil Procedure to specifically disallow "stealth
subpoenas" i.e., subpoenas issued without
notice to opposing counsel and directing a person to
attend a deposition.2 Rule 45 now requires service of
subpoenas, notices of deposition, and record requests
on all attorneys involved in the case. HIPAA adds a
layer. It requires the party making a records request
to give "satisfactory assurance" to medical-care
providers that reasonable efforts have been made to
ensure that the patient has been given notice of the
request.3
The satisfactory-assurance
requirement places the burden on the requesting party
to provide documentation showing:
a) that a good faith attempt
was made to give the patient written notice of the records
request;
b) that the notice contained
sufficient information about the litigation or proceeding
to enable the patient to make any available objection
to the proper court or tribunal; and
c) that the time to object
has expired and no objections have been filed with the
court or tribunal.4
How do you do all that?
The following notice is embraced by many Arkansas hospitals
and other medical-care providers.
Issue the Subpoena.
Describe in detail the medical records you are requesting
and supply a range of dates of service, if known.5
Send a copy of the
subpoena via certified mail, return receipt requested,
to the patient's attorney with a copy to all other attorneys
involved in the litigation. Your cover letter should
look something like this:
Re: Jane Doe
v. Big Insurance Co.
Arkansas
County Circuit No. CV-2004-001
Dear
Jim Attorney:
Enclosed
please find a subpoena duces tecum I have issued in
the above referenced
case. The subpoena directs The Hospital to produce
the medical
records pertaining to your client, Jane Doe. If no
objection is made
within ten (10) days, I will serve the subpoena on
the hospital.
Serve the subpoena
on The Medical-Care Provider. After you have received
the receipt-of-service back from the post office,
wait 10 days6 from the date of service, then send
The Hospital the original subpoena, a copy of your
cover letter to the patient's attorney, a copy of
a file-marked pleading showing that the patient's
attorney has entered his appearance in the litigation,
the return receipt showing service on Jim Attorney,
and an Affidavit from you setting out the following:
• the
records requested are those of Jane Doe;
• Jim
Attorney represents Jane Doe in the litigation;
• you
sent the subpoena to Jim Attorney and all other parties
to the litigation on
(date);
• that
Jim Attorney received the subpoena on (date);
• that
more than 10 days have passed since service of the
subpoena on the patient
via her attorney; and
• no
objections have been made known to you nor filed with
the Court.
If you follow the procedure
outlined, then you should receive all the medical
records you requested.
ENDNOTES:
1. 45 C.F.R. §164.508(c).
2. A.R.C.P. Rule 45(e).
3. 45 C.F.R. §164.512(e)(1)(ii).
4. 45 C.F.R. §164.512(e)(1)(iii).
5. There is some controversy over whether a party
may issue a subpoena duces tecum
directing a records custodian to send medical records
by mail in lieu of attending
the deposition. See, Ark. R. Civ. P. 45, Addition
to Reporter's Notes, February
2001 Amendment. However, there should be no controversy
if the requesting attorney
serves the subpoena duces tecum with a deposition
upon written questions under
Rule 32, although it is admittedly more cumbersome.
6. Rule 45 allows 10 days to object to a subpoena
for taking depositions.
|
