Karen Darnall, Feb '16, CITATIONS is the official publication of the Ventura County Bar Association
If medical facts are important to your case, it is important to grab the right end of the stick. A person can access medical records or agree to disclose them. You should also consider differences between HIPAA and California law.
The subpoena is a way to compel disclosures of medical information. Medical records are business records and "personal records" under CCP § 1985.3. The request must be relevant to the lawsuit, and the subpoenaing party must send a "notice to consumer" to allow the individual an opportunity to protect him or herself.
The subpoena is a blunt instrument. HIPAA gives patients the right to request "restrictions" for highly sensitive records but the provider does not have to agree. When the subpoena arrives, everything will be copied unless the patient gets a protective order.
The Patient Access to Health Records Act (PAHRA) allows patients to access their own records—and quickly. California law provides the right of "…inspection during business hours within five working days…" After costs are paid, the provider must "…ensure that the copies are transmitted within 15 days..." Moreover, the patient may be "…accompanied by one other person of his or her choosing." (H&S C. § 123110)
HIPAA allows providers up to 30 days to respond to patient requests. But California's 5-day-rule provides "greater rights of access" and is more "stringent" and therefore, state law is not preempted by HIPAA.
PAHRA does not require any particular form of writing. If the patient wants to inspect every record, they should ask for the "designated record set" defined by HIPAA. (42 CFR §§ 164.501, 164.524(c))
California's Confidentiality of Medical Information Act (CMIA) was enacted in 1981 to regulate medical practitioners and insurance companies. CMIA was a prototype for HIPAA in 2002. The original HIPAA rule required providers to obtain written consents pertaining to "protected health information." This turned out to be a bad idea. Consequently, HIPAA adopted CMIA's "permitted" use classifications and deleted the consent requirement.
The CMIA authorization is for disclosing records. (Civil Code § 56.11) It diverges from HIPAA by requiring a specific date (not an event) for terminating the authorization. It also allows handwriting. When the authorization is printed, it must have"…typeface no smaller than 14-point type."
It is important to note: Workers compensation is exempt from HIPAA (but not CMIA).
California lawyers can obtain medical records by writing a letter and submitting the client's signed authorization by mail. The Legislature amended Section 1158 last year and removed a major headache for lawyers. Some providers would refuse the attorney's authorization and required the patient to sign the provider's authorization. The extra step caused significant delay. The law now requires medical providers to accept the statutory form.
Section 1158 also has teeth. If the medical provider fails to make records available, the attorney can get an OSC for non-production of records. The enforcement statute CCP § 1985.7 provides, "The court shall impose monetary sanctions pursuant to Section 1158 unless it finds…the imposition of the sanction unjust."
HIPAA was modified in 2013, to give patients access to electronic medical records (EHRs). But the regulation is short on details. It says, the provider must send "…a readable hard copy form or such other form and format as agreed to by the covered entity and the individual."
EHR technology is evolving and gaps are yet to be filled. Neither CMIA nor PAHRA mentions electronic records. The Evidence Code mentions records "maintained electronically" but provides no standards for transferring data. As said by rule makers in 2012, HIPAA does not require providers to scan paper documents. Providers should also reject portable media brought by patients (particularly flash drives) due to security risks. (78 FR 5633)
HIPAA recently made it easier for caregivers to get copies of records. A patient can ask the provider to send copies of medical records to anyone they want. The request must "…clearly identify the designated person and where to send…" the records. Strictly speaking, the written request is for access —not disclosure. But most providers use the same form for both purposes.
According to HIPAA, the authorization form must include "…a description of such representative's authority to act for the individual." State law determines who may act as the surrogate.
If a child is old enough to consent to a particular medical procedure, he or she can prevent parents from seeing their records. The Family Code grants minors the right to make certain health care decisions for themselves
If an elderly patient lacks capacity to make healthcare decisions, the personal representative could be a family member or friend, or the person named in the Advance Directive. If the patient is placed in a facility, the attending physician must determine who has legal authority by interviewing the patient, reviewing records, consulting nurses and talking to family members. (H&S Code § 1418.8)
Cost reimbursement can be a sticking point. HIPAA allows providers to charge "…reasonable, cost-based fees…" California has conflicting standards. The Evidence Code allows 10 cents per page and $16 per hour for clerical costs—yet PAHRA allows 25 cents for letter-size documents and "reasonable clerical costs."
A provider could actually make $25 per minute with a 100-page/minute scanner. But a rate that is not "cost-based" would be preempted by HIPAA's "reasonable" standard.
If no lawsuit is pending, access is the easiest way to get medical records. Use the provider's form. Ask for an estimate and explanation of charges. If your client has special privacy concerns, use Evidence Code § 1158 and request "all" records. Send a professional copyist to the provider's office. Review records carefully before you file the complaint.
© Darnall Law Office 2015