Posted on August 13, 2010 by Robert Cochran

Hospital hit with lawsuit after complying with grand jury subpoena

On Feb. 1, the U.S. District Court in Cleveland issued a significant decision concerning the disclosure of medical information in response to a grand jury subpoena.

The grand jury subpoena was issued to the Cleveland Clinic as part of a criminal investigation of James Turk for carrying a concealed weapon. The Cleveland Clinic complied with the subpoena and supplied the records to a police detective as instructed by the subpoena. As a result of the criminal investigation, Turk was charged with various offenses. A jury eventually acquitted him of one charge and the other charges were dismissed. Turk then filed a lawsuit in federal court against the police and various other defendants, including the Cleveland Clinic. The lawsuit alleged the defendants violated his rights in connection with the criminal investigation.

Regarding his medical records, Turk claimed the Cleveland Clinic violated his privacy rights by releasing privileged medical records in response to the grand jury subpoena. The clinic argued the claim should be dismissed because the clinic was responding to a grand jury subpoena. The clinic argued that Ohio courts do not extend the physician-patient privilege to records subpoenaed by the grand jury because the disclosure to the grand jury is not a public disclosure. The clinic also argued that the disclosure was required because there is a countervailing interest in investigating criminal activity.

The trial court rejected both arguments and overruled the clinic’s motion to dismiss. The court ruled that there is no statutory privilege permitting disclosure of medical records in response to a grand jury subpoena. Additionally, the court rejected the public policy argument that the government’s interest in investigating criminal activity outweighed Turk’s interest in maintaining the confidentiality of his medical records. The court concluded that no such public policy exception to the physician-patient privilege exists under Ohio law.

The court also addressed the applicability of the Health Insurance Portability and Accountability Act (HIPAA) to the disclosure of Turk’s medical records. HIPAA authorizes (but does not require) a hospital to release a patient’s medical records in response to a grand jury subpoena. HIPAA preempts state law unless the state law relates to the privacy of individually identifiable health information and is more stringent than HIPAA. The court concluded that Ohio Revised Code §2317.02 (Ohio’s physician-patient privilege statute) is more stringent than HIPAA, and therefore is not preempted.

When deciding whether to disclose medical records, health care providers need to consider Ohio Revised Code §2317.02 as well as HIPAA. A disclosure authorized by HIPAA may be prohibited under Ohio Revised Code §2317.02. In addition, special attention should be paid to requests for records from law enforcement, including grand jury subpoenas and criminal trial subpoenas. The public’s interest in investigating criminal activity is not necessarily more important than the public’s interest in preserving the confidentiality of medical records. Providers should consult legal counsel when necessary.
Tags: , ,
Posted on June 19, 2009 by David Kopans

AMA Adopts New Guidelines on Responding to Breaches of Patient Records

On June 15, 2009, the American Medical Association (AMA) approved new guidelines for physicians on responding to breaches of patients' electronic medical records (EMR).

According to the AMA Council on Ethical and Judicial Affairs (CEJA) in its report, CEJA Report 3-A-09, these guidelines are intended to fill an important gap in the AMA's policy, which, until now, did not "address physicians' ethical responsibilities in the event the security of electronic records is breached and patient data are inappropriately accessed." The CEJA identified the need for the guidelines particularly in light of the newly enacted American Recovery and Reinvestment Act of 2009 (ARRA), which amended the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to mandate that patients be notified in the event of certain breaches of their medical records.

As adopted, the guidelines state:

"When there is reason to believe that patients’ confidentiality has been compromised by a breach of the electronic medical record, physicians should:

  1. Ensure that patients are promptly informed about the breach and potential for harm, either by disclosing directly (when the physician has administrative responsibility for the EMR), participating in efforts by the practice or health care institution to disclose, or ensuring that the practice or institution takes appropriate action to disclose.
  2. Follow ethically appropriate procedures for disclosure, which should at minimum include: 
    1. carrying out the disclosure in a private setting and within a time frame that provides patients ample opportunity to take steps to minimize potential adverse consequences; and
    2. describing what information was breached; how the breach happened; what the consequences may be; what corrective actions have been taken by the physician, practice, or institution; and what steps patients themselves might take to minimize adverse consequences.
  3. Support responses to security breaches that place the interests of patients above those of the physician, medical practice, or institution.
  4. To the extent possible, provide information to patients to enable them to mitigate potential adverse consequences of inappropriate disclosure of their personal health information, such as credit monitoring services or identity theft hotline."

Now, physicians and other health care providers who intend to establish policies to address responses to breaches of their patients' EMR must not only take into account the above AMA guidelines and the recent amendments to HIPAA but they also must remember to consult the applicable laws of their own state.

Tags: , , , , , , , , , ,
Posted on June 20, 2008 by Jarad Hunter

Ohio's Physician-Patient Privilege and Grand Jury Subpoenas

The Fourth District Court of Appeals in Ohio recently released an opinion indicating that the trial court erred by refusing to grant a motion to quash a grand jury subpoena requesting medical records from a physician.  The grand jury had issued a subpoena ordering the physician to produce the medical records of over 50 patients.

The case is instructive regarding application of the physician-patient privilege to grand jury subpoenas in Ohio.  Under Federal privacy regulations, a covered entity may disclose protected health information without a "HIPAA-compliant" authorization in compliance with and as limited by the relevant requirements of a grand jury subpoena.  See 45 C.F.R. 164.512(f)(1)(ii)(B).  However, an Ohio court has recognized that the state law physician-patient privilege is more stringent than the Federal privacy regulations.  See Grove v. Northeast Ohio Nephrology Assoc., 2005-Ohio-6914, Paragraphs 18-23.

The Ohio Supreme Court has stated that in the absence of a prior authorization, a physician or hospital is privileged to disclose confidential medical information in those special situations where disclosure is made in accordance with a statutory mandate or common law duty, or where disclosure is necessary to protect or further a countervailing interest that outweighs the patient's interest in confidentiality.  Biddle v. Warren Gen. Hosp., 1999-Ohio-115 (syllabus).

In this case, the Court found no statutory exception to the physician-patient privilege.  In addition, the Court refused to "judicially create a public policy exception to the privilege statute for grand jury subpoenas."  Physicians and hospitals should be aware of this opinion (and its analysis) when responding to grand jury subpoenas requesting medical records.

Tags: , , , , , ,