News & Insights

What healthcare providers should know about disclosing patient records

Medical records may be relevant to litigation in different types of cases, including personal injury, malpractice and contractual disputes involving medical or dental (and other healthcare) providers. However, that does not mean that medical records can be freely disclosed by providers. Medical records contain sensitive and confidential personal information which generally should not be disclosed without the patient’s consent. There are two primary sources of law which protect a patient’s privacy and trust in the confidentiality of his/her medical status, condition and communications with healthcare providers.

Health Insurance Portability and Accountability Act of 1996 (HIPAA)

HIPAA is a federal statute which provides data privacy and security provisions for safeguarding health information.

New York State (“NYS”) confidentiality and privilege laws

NYS law provides for confidentiality and a privilege that protects various types of medical information. The privilege applies in litigation and protects communications that relate to the diagnosis or treatment of the patient. The privilege belongs to the patient, who is the only person who can waive it. Confidentiality is provided by common law as well as ethical rules which govern medical and dental providers and protects a broader scope of information (not only communications relating to diagnosis or treatment).

Conflicts between HIPAA and NYS law

While most medical and dental providers know about their obligations under HIPAA, the NYS law of privilege is less widely known. Complications can arise in certain instances when NYS law provides more protection to the patient and prohibits disclosure of records that may otherwise be disclosed under HIPAA.

This issue arises in various types of commercial disputes where a patient’s medical records are relevant to the litigation, but the patient is not a party to the lawsuit. Health care providers frequently receive subpoenas requesting that they provide patient records to the litigating parties, even though the patient is not a party to the litigation.

Under HIPAA, a provider can (but is not required to) disclose medical records in certain instances without obtaining consent from the patient. For example, HIPAA allows disclosure if the parties to a lawsuit agreed in writing that the patient’s records will be used only within the context of litigation, will be kept confidential and will be destroyed when the litigation is resolved. A provider may erroneously believe that the existence of such an agreement to “protect” the patient records permits him /her to disclose records without further notice to or consent from the patient. Although the provider would not violate HIPAA by disclosing the records without the patient’s consent, in this instance, s/he would violate the NYS privilege. The agreement between parties to the litigation cannot waive or impair the privilege that belongs to the non-party patient.

Since the NYS privilege provides greater protection than HIPAA, NYS law controls in this instance, so the medical records could not be disclosed without permission from the patient, notwithstanding that the disclosure would be HIPAA-compliant.

A provider who mistakenly provides records in violation of NYS law may be subject to liability. If you are a medical or dental provider and you receive a subpoena for patient records, it is important to consult a qualified attorney to ensure you do not violate New York law or impair your patients’ rights.

Learn more about our Commercial Litigation practice.

Leave a Comment