May a covered entity that is a plaintiff or defendant in a legal proceeding use or disclose protected health information for the litigation?
Yes. Where a covered entity is a party to a legal proceeding, such as a plaintiff or defendant, the covered entity may use or disclose protected health information for purposes of the litigation as part of its health care operations. The definition of “health care operations” at 45 CFR 164.501 includes a covered entity’s activities of conducting or arranging for legal services to the extent such activities are related to the covered entity’s covered functions (i.e., those functions that make the entity a health plan, health care provider, or health care clearinghouse). Thus, for example, a covered entity that is a defendant in a malpractice action, or a plaintiff in a suit to obtain payment, may use or disclose protected health information for such litigation as part of its health care operations.
The covered entity, however, must make reasonable efforts to limit such uses and disclosures to the minimum necessary to accomplish the intended purpose. See 45 CFR 164.502(b), 164.514(d). In most cases, the covered entity will share protected health information for litigation purposes with its lawyer, who is either a workforce member or a business associate. In these cases, the Privacy Rule permits a covered entity to reasonably rely on the representations of a lawyer who is a business associate or workforce member that the information requested is the minimum necessary for the stated purpose. See 45 CFR 164.514(d)(3)(iii)(C). A covered entity’s minimum necessary policies and procedures may provide for such reasonable reliance on the lawyer’s requests for protected health information needed in the course of providing legal services to the covered entity.
In disclosing protected health information for litigation purposes, the lawyer who is a workforce member of the covered entity must make reasonable efforts to limit the protected health information disclosed to the minimum necessary for the purpose of the disclosure. Similarly, a lawyer who is a business associate must apply the minimum necessary standard to its disclosures, as the business associate contract may not authorize the business associate to further use or disclose protected health information in a manner that would violate the HIPAA Privacy Rule if done by the covered entity. Depending on the circumstances, this could involve de-identifying the information or stripping direct identifiers from the information to protect the privacy of individuals, and may in some cases limit disclosures more significantly than would be required to meet a “relevance” standard. Further, whether as workforce members or business associates, lawyers may consider availing themselves of the protections routinely afforded to similarly confidential information within the litigation forum, such as protective orders on the use of the information in public portions of the proceedings.