The Health Insurance Portability and Accessibility Act (HIPAA) has recently been used twice to stop the disclosure of medical records which would otherwise be required under a new Georgia medical malpractice reform law. Northlake Medical Center, LLC v. Queen and Allen v. Wright are Georgia intermediate appellate court decisions that highlight the complex interplay between the disclosure of medical records under state laws and the trumping of those laws by HIPAA.
A. Legal Framework
HIPAA's Privacy Rule generally prevents the unauthorized disclosure of protected health information (PHI) of a patient. There are numerous exceptions to this general rule. For example, a signed, written authorization by a patient will permit a physician to disclose PHI. Likewise, a request for disclosure pursuant to a properly served subpoena is an exception commonly used by doctors to obtain the medical histories of patients who sue them for medical malpractice.
There are numerous state medical records and patient privacy laws. For example, Maryland has a fairly complex medical record law that permits a signed, written authorization by a patient to be effective for up to one year. Maryland law also establishes a subpoena process that allows a doctor who is sued for medical malpractice to obtain PHI from the suing patient's other doctors to the extent that the PHI would be relevant to the doctor's defense.
Often, these laws interact, intersect, or conflict with HIPAA. For example, HIPAA has no explicit one year requirement for authorizations, but requires an expiration date or event for a written authorization to be effective. HIPAA also requires that a written authorization include a description that identifies the information to be disclosed in a "specific and meaningful fashion." Also critical to the disclosure's HIPAA efficacy, is the requirement that the written authorization must give the patient notice that the patient may revoke the written authorization at any time.
In those situations where a state statute conflicts with HIPAA, HIPAA preempts, or overrules, the state statute to the extent that the state law is more permissive than HIPAA.
B. Georgia Cases
In Georgia, a new medical malpractice reform bill enacted in 2005 required a patient who brings a medical malpractice action to sign a mandatory medical record disclosure form upon filing the complaint. The disclosure permitted the health care provider who is being sued to have access to the suing patient's PHI, including information from other physicians, to facilitate the investigation, evaluation and defense of the claims. The form, mandated by Georgia law, lacked an explicit warning that the suing patient could revoke the permission. The form also lacked a specific expiration date or event, although it implicitly limited the release to the underlying malpractice complaint.
The Georgia cases held that this mandatory disclosure form conflicted with HIPAA's requirements for written authorizations for the release of protected health information. The courts were also alarmed by the breadth and non-specificity of the PHI that might be inadvertently disclosed by physicians. Furthermore, it was apparent to the court that the authorization was not needed because a request for protected health information relevant to the medical malpractice defense could be obtained in Georgia via a subpoena.
One of the Georgia cases has been appealed. Nevertheless, whether or not the foregoing conclusions are ultimately upheld, these cases clearly demonstrate the complicated interplay between HIPAA and state medical records and patient privacy laws.