As noted this week in a blog posting from Hunton & Williams, a ruling issued in February from a federal district court in Ohio highlights some of the legal complexities in navigating both state and federal laws governing the disclosure of personal information in medical records. In the case, Turk v. Oiler, the plaintiff sued a Cleveland medical clinic for violating his privacy rights under Ohio law when it disclosed his medical records in response to grand jury subpoena. While the facts of the case related to a variety of issues, the salient detail from a privacy rights standpoint is that the plaintiff had been arrested for possession of a concealed weapon firearm, and for carrying a firearm under disability, which is illegal in Ohio. The subpoena of Turk's medical records was intended to help investigators show that he did in fact have a disability (specifically being drug dependent), and therefore to provide evidence that he was in violation of Ohio law because he was carrying a firearm.
The Cleveland clinic justified its action in furnishing Turk's medical records to the grand jury under a statutory provision under HIPAA (45 CFR §164.512(e)(ii)) that permits the disclosure of protected health information by a covered entity "in response to a subpoena, discovery request, or other lawful process." While not cited in the case, the other federal statute most relevant to medical record data concerning drug and alcohol abuse, 42 CFR Part 2, provides a similar exception from disclosure constraints "if authorized by an appropriate order of a court of competent jurisdiction granted after application showing good cause therefor" (§290dd-3(b)(2)(C)), which even trumps a provision that no record disclosed under Part 2 "may be used to initiate or substantiate any criminal charges against a patient or to conduct any investigation of a patient." Based on federal disclosure rules, the clinic seems to be on solid legal ground. Ohio law, however, has its own restrictions on disclosure or testimony regarding doctor-patient communication (O.R.C. 2317.02, which the court construes to include medical records), and because the state law is more restrictive than HIPAA, federal law does not preempt it. Because of procedural motions and the dismissal of the carry-under-disability charge in previous court proceedings, the district court was the first to actually consider Turk's privacy violation claims, leading it to refuse to dismiss the claim against the clinic. The Hunton & Williams post notes that since the ruling, Turk subsequently dismissed all his claims against the clinic, suggesting that some sort of settlement was reached after the district court's ruling. The obvious message for any health care organization seeking to ensure compliance with health information disclosure laws is, considering federal requirements alone is insufficient, especially where state laws impose tighter restrictions than HIPAA or other federal privacy rules.
Bejtlich Teaching at Black Hat USA 2014
1 day ago