Access to medical records for a medical record review is governed by the HIPAA Privacy Rule. This article outlines the major considerations when obtaining medical records for litigation purposes.

1. http://www.mosmedicalrecordreview.com/ 1­800­670­2809
Obtaining Medical Records for Legal
requirements
Access to medical records for a medical record review is
governed by the HIPAA Privacy Rule. This article outlines
the major considerations when obtaining medical records
for litigation purposes.
An attorney handling medical litigation has to obtain the
relevant medical records of the patient to have a clear
understanding of the case via a
comprehensive medical record review.
When considering attorney access to
medical records, a significant
consideration is the HIPAA Privacy
Rule. This Rule limits the manner in
and extent to which “covered entities”
such as healthcare providers are
allowed to share information with
third
parties.
So,
attorneys
representing healthcare providers, plaintiffs and insurers
will be affected by the Privacy Rule. It follows therefore
that lawyers and attorneys handling such cases need to have
a basic understanding about the Privacy Rule, how it relates
to the laws of each state and also how it would affect their
access to the required medical records.
“Use” and “Disclosure” in HIPAA
These two terms relate to how covered entities including
healthcare providers, hospitals, physician practices, nursing
homes and other healthcare facilities share PHI or protected
http://www.mosmedicalrecordreview.com/ 1­800­670­2809

2. http://www.mosmedicalrecordreview.com/ 1­800­670­2809
health information. “Use” refers to sharing the PHI with a
covered entity, whereas “disclosure” refers to sharing the
information outside a covered entity. In general, a covered
entity is required to obtain the concerned patient’s written
consent known as “authorization” before using or
disclosing PHI. Let us look at how these affect attorneys
handling medical litigation. As mentioned in the Code of
Federal Regulations,
•
From the attorney’s point of view, there are certain
exceptions to this rule that are beneficial when it
comes to accessing medical records. The Rule clarifies
that “conducting or arranging for … legal services”
comes under business and management functions of
the covered entity known as “healthcare operations.”
When engaged in these functions, covered entities can
use as well as disclose PHI without authorization. This
makes it easy for attorneys to gain access to the
required medical information without authorization,
when they are representing healthcare providers.
However, attorneys requesting medical records from
non-client healthcare providers are not eligible for this
exception. They will have to obtain patient
authorization before accessing the medical records.
• The Privacy Rule allows healthcare providers to
disclose PHI to attorneys (both their own attorney as
well as other attorneys) without prior authorization in
the wake of an administrative or court order; or
subject to certain conditions, discovery request, a
subpoena or other “lawful process.”
http://www.mosmedicalrecordreview.com/ 1­800­670­2809

3. http://www.mosmedicalrecordreview.com/ 1­800­670­2809
• Properly “de-identified” information (i.e. information
from which around 18 specified identity revealing
details have been removed) can also be shared with
attorneys without authorization.
Attorneys as Business Associates
Attorneys representing covered entities are their “business
associates.” All covered entities have to enter into a
contract with their business associates, a contract
containing provisions regarding the allowed uses the
business associate can make, and the manner in which the
business associate must protect the confidentiality of any
PHI received for or on behalf of the healthcare provider.
This contract is valid irrespective of whether the business
associate is performing functions that necessitate an
authorization from the patient. Since legal representation is
a healthcare operation, the uses and disclosures of PHI that
attorneys make when representing their healthcare clients
will not require authorization under the Privacy Rule. So,
what are the precautions attorneys are expected to observe
with regard to the medical information they obtain?
• Attorneys will have to employ “appropriate
safeguards” to prevent uses and disclosures that are
not allowed.
• They will have to report any unauthorized use and
disclosure to the provider client.
• Make sure that subcontractors/agents who are given
access to the PHI agree to all binding restrictions and
conditions.
http://www.mosmedicalrecordreview.com/ 1­800­670­2809

4. http://www.mosmedicalrecordreview.com/ 1­800­670­2809
• Ensure that the PHI is available for inspection and any
required amendment by the concerned patient.
• Track any disclosures of PHI in case the patient asks
for details regarding those.
• Reveal their records/books if there is an HIPAA audit.
• Destroy/return all PHI when the client-attorney
relationship terminates.
It is important to note that attorneys who enter into a
business associate contract with provider clients gain easy
access to PHI without authorization. But the use and
disclosure of the information obtained is limited by the
contract. Attorneys trying to obtain medical records from
non-clients are not bound by the business associate contract
tenets. However, in most cases they will have to obtain
authorization to access the medical records.
Requesting and Reviewing Medical Records for
Litigation Purposes
The process of getting medical records involves
considerable investment in terms of money, time and effort.
Healthcare providers may be slow to respond, and this in
turn may necessitate the law firm to spend more resources
for follow-up purposes. When it becomes hard to obtain
medical records, legal professionals can obtain them from
the other party through the discovery process. Discovery
entitles each party to gain access to documents that are
relevant to the case. An RFP (Request for Production) can
be made to the other party and in case they deny, you may
http://www.mosmedicalrecordreview.com/ 1­800­670­2809

5. http://www.mosmedicalrecordreview.com/ 1­800­670­2809
have to use a subpoena. This will ensure that the documents
you need are brought to court. Once the court reviews the
medical records for any PHI under HIPAA, either party can
inspect or copy them.
When it comes to reviewing medical records, attorneys can
obtain the assistance of a medical review company that
usually has physicians and nurses on staff as medical
review professionals. The review process will then be
hassle free and accurate, with the required medical
information made available within the required turnaround
time. These medical review professionals check the records
for comprehensiveness, completeness, consistency,
relevance and timeliness. Reputable medical review
companies provide medical review services at a reasonable
pricing so that attorneys benefit from cost-effective, timely
and accurate medical record review.
Obtaining and reviewing medical records for medical
litigation can be arduous and time consuming. However,
with a basic awareness of the rules involved in obtaining
the medical records and with the able support of a medical
record review company, attorneys and lawyers can prepare
well for trial and go ahead to win their case.
Posted by MOS Medical Record Review Company
http://www.mosmedicalrecordreview.com/
http://www.mosmedicalrecordreview.com/ 1­800­670­2809