THE HIPAA PRIVACY RULE – AN OVERVIEW FOR COUNSEL · THE HIPAA PRIVACY RULE – AN OVERVIEW FOR COUNSEL WILL HUGHES, Harlingen Adams & Graham, L.L.P. State Bar of Texas 12TH ANNUAL

THE HIPAA PRIVACY RULE – AN OVERVIEW FOR COUNSEL

WILL HUGHES, Harlingen Adams & Graham, L.L.P.

State Bar of Texas 12TH ANNUAL ADVANCED

MEDICAL MALPRACTICE COURSE March 17-18, 2005

Santa Fe, NM

CHAPTER 11

WILL HUGHES

Will Hughes is a partner in the Health Law Section at Adams & Graham,L.L.P.

Mr. Hughes is Board Certified in Health Law by the Texas Board of LegalSpecialization. Prior to joining Adams & Graham, Mr. Hughes wasemployed as a briefing attorney for the Court of Appeals for the FifthDistrict of Texas at Dallas. Mr. Hughes briefed for the Honorable JusticeJames A. Baker. Upon completing his clerkship with the appellate court,Mr. Hughes began working as an associate attorney at Adams & Graham,L.L.P. His primary practice is in the firm’s health law section representinghospitals, physicians, hospital committees, and other health care entities onlitigation and non-litigation related matters. Mr. Hughes is a charter memberof the Health Law Advisory Commission of the Texas Board of LegalSpecialization.

Mr. Hughes serves as a resource to hospitals and other health care providerson a number of issues including medical staff affairs, physician and groupcontracts, patient consent, withdrawal of life support, regulatory mattersincluding the HIPAA Privacy Rule, statutory requirements affecting healthcare entities, contract issues, patient confidentiality, and documentation. Mr.Hughes is a 1990 graduate from The South Texas College of Law inHouston, Texas, where he was a member on the South Texas Law Reviewand Order of the Lytae. Mr. Hughes is admitted to practice before all Statecourts in Texas and the United States District Courts for the Northern andSouthern Districts of Texas and the United States Fifth Circuit Court ofAppeals. Mr. Hughes obtained his B.B.A. in Management and InternationalBusiness in 1983 from the University of Texas at Austin.

1

Adams & Graham, L.L.P.

The HIPAAPrivacy Rule12th Annual Advanced Medical

Malpractice Course

Will Hughes

Board Certified - Health Law -

Texas Board of Legal Specialization


Hipaa Legislation• Hipaa Privacy Rule - implementing

legislation, the Health Insurance Portability and Accountability Act of 1996, Public Law No. 104-191, 110 Stat. 1936 (1996); codified in Part C of the United States Code Annotated, Subchapter XI titled Administrative Simplification. 42 U.S.C.A. §§ 1320d-1320d-8 (West 2003 & Supp. 2004).


Hipaa - Constitutional• South Carolina Med. Assn. v. Thompson,

327 F.3d 346 (4th Cir.), cert. denied, 540 U.S. 981 (2003).

• Fourth Circuit - HIPAA was constitutional• HIPAA applies to electronic and non-

electronic information.• Gives Dept. of HHS carte blanche

regulatory authority.

http://www.TexasBarCLE.com/CLE/PMCasemaker.asp?table=US_5thcircuit&volume=327&edition=F.3d&page=346&id=45454_01

http://www.TexasBarCLE.com/CLE/PMCasemaker.asp?table=US_supremeopinions&volume=540&edition=U.S.&page=981&id=45454_01

http://www.TexasBarCLE.com/CLE/PMCasemaker.asp?table=US_supremeopinions&volume=540&edition=U.S.&page=981&id=45454_01

2


Hipaa Privacy Rule & Regulatory Background Information

• Privacy Rule - 45 C.F.R. §§ 160.101-312 (2004), and 45 C.F.R. §§ 164.102-534 (2004).

• OCR Guidance - Office of Civil Rights of the Department of Health and Human Services, Standards for Privacy of Individually identifiable Health Information (2002)(seeHHS web site at http://www.hhs.gov/ocr/hipaa).

• Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82461, 82471 (2000) (HHS interpretive guidance accompanying final privacy rule).

• Attachments 1 and 2. OCR HHS Consumer Information Handout summarizing patient rights afforded by the Hipaa Privacy Rule.


The Privacy Rule• Establishes a foundation of federally-

protected rights for patients to control certain uses and disclosures of their protected health information (PHI).

• Comprehensive regulatory scheme governing access to and how information is transmitted inside and outside a covered entity.

• No waiver provision in the Privacy Rule• April 14, 2003, was the effective date for

most covered entities.


Covered Entities• Health plans• Health care clearinghouses• Health care providers who conduct financial

and administrative transactions electronically. This would include all hospitals and most doctors.

• Note: These covered entities are bound by the new privacy standards even if they contract with others to perform some of their essential functions

3


TPO - Treatment, Payment & Health Care Operations

• Encompasses all of the activities that Covered Entities commonly engage in.

• Exempts Covered Entities from the requirement that a CE obtain / provide – Authorization;– Consent; and – Account for disclosures of PHI.


TPO - Treatment

• Treatment - means the provision, coordination, or management of health care and related services among health care providers or by a health care provider with a third party, consultation between health care providers regarding a patient, or the referral of a patient from one health care provider to another.


TPO - Payment

• Payment - encompasses the various activities of health care providers to obtain payment or be reimbursed for their services and of a health plan to obtain premiums, to fulfill their coverage responsibilities and provide benefits under the plan, and to obtain or provide reimbursement for the provision of health care.

4


TPO - Health Care Operations• Operations - are certain administrative,

financial, legal, and quality improvement activities of a CE that are necessary to run its business and to support the core functions of treatment and payment. These activities are limited to those delineated by definition in 45 CFR 164.501.

• Primary Focus for Attorneys working with Covered Entities.


Minimum Necessary Requirement

• A CE must implement reasonable minimum necessary policies and procedures that limit how much protected health information is used, disclosed, and requested for certain purposes. This means limiting who has access to protected PHI within the CE based on that person’s job responsibilities as well as how information is disclosed externally.


MINIMUM NECESSARY REQUIREMENT• The Privacy Rule minimum necessary requirement DOES

NOT APPLY to the following:– Disclosures to or requests by a health care provider for

treatment purposes;

– Disclosures to the individual who is the subject of the information;

– Uses or disclosures made pursuant to an individual’s authorization;

– HHS mandated disclosures for administrative simplification and enforcement; and

– Uses and disclosures that are required by other law.

• BUT DOES APPLY to:

– Payment and Health Care Operations

5


MINIMUM NECESSARY DETERMINATION

• REASONABLE RELIANCE RULE - permits a CE to rely on the judgment of the party requesting the disclosure as to the minimum amount of information that is needed. Some examples of this are when the request is made by:– A public official or agency who states the information is the

minimum necessary for certain enumerated purposes (See 45 CFR 164.512).

– Another CE - rationale is that one CE is entitled to rely on another CE’s minimum necessary determination.

– A professional who is a workforce member or BA of the CE who says the information is the minimum necessary for the stated purpose - rationale is that the BAA should provide that the BA will limit its uses and disclosures of and requests for PHI to be consistent with the CE’s minimum necessary policies and CE is entitled to rely on this representation.


BA - Business Associates

• A person who assists a CE in a function or activity involving the use and disclosure of PHI. CE’s are allowed to disclose PHI to a BA when the CE obtains satisfactory assurances from the BA that the BA will appropriately safeguard the PHI it receives or creates on behalf of the CE. The satisfactory assurances must be in writing.

• A sample Business Associate Agreement is included as Attachment 3.


Lawyers are Business Associates

• The Privacy Rule definition of a Business Associate specifically references outside counsel by defining Business Associates as persons who “[p]rovide[], other than in the capacity of a member of the workforce of such covered entity, legal . . . services to or for such covered entity, . . . where the provision of the service involves the disclosure of individually identifiable health information from such covered entity . . . to the person.” 45 C.F.R. § 160.103 (2004).

• The definition of health care operations also specifically references “[c]onducting or arranging for legal services.” 45 C.F.R. § 164.501 (2004).

6


BA Contract Requirements• Describe the permitted and required uses of PHI by the BA

and not authorize the BA to use PHI in ways that violate the Privacy Rule and require that the BA not use or further disclose the PHI other than as permitted or required by the contract or as required by law.

• Require the BA use appropriate safeguards to prevent a use or disclosure of PHI other than as provided for by the contract.

• Ensure that any agents or subcontractors the BA provides PHI to agree to the same restrictions as the BA.

• Where a CE knows of a violation by the BA the CE must take reasonable steps to end the violation and if unsuccessful, terminate the contract. If termination is not feasible, the CE must notify the HHS OCR.


Privacy Rule Enforcement• HHS has authority over CE’s and not BA’s, and only has

authority to condition a CE’s disclosures to BA’s on the CE having a BAA with the BA.

• BA’s are not subject to civil and criminal fines or the Privacy Rule unless the BA is also itself a CE.– e.g. no BAA is required when a hospital shares PHI with another

health care provider, however, another CE would be a BA when the health care provider is hired for QA activities, training activities, etc. In these circumstances a BAA is necessary and this CE acting as a BA is subject to OCR enforcement.

• CE’s need only enter into written contracts with BA’s to protect PHI and are not required to oversee the means by which BA’s carry out the privacy requirements of the BAA.


Defense Counsel Should Comply with the Privacy Rule

• Defense counsel are Business Associates and should execute a BAA with their CE client.

• Before retaining independent experts the attorney should obtain a Business Associate Subcontractor Agreement with the expert.

• A sample agreement is included as Attachment 4. • Case law requires attorney compliance with the

Privacy Rule.

7


Northwest Mem. Hosp. v. Ashcroft , 362 F.3d 923 (7th Cir. 2004)(preemption analysis)

• U.S. DOJ issued a subpoena for medical expert’s patient records. Illinois State law more stringent than Hipaa.

• Hipaa does not create a federal patient medical records privilege, it is simply a procedural device.

• DOJ was required to comply with the Privacy Rule.

• Because federal substantive law controlled greater protections provided in State law were inapplicable to the federal government’s attempt to obtain PHI.

• Enforcement of federal law would be hamstrung if state law privileges were applicable to all federal cases.


Keshecki v. St. Vincent’s Medical Center, 785 N.Y.S.2d 300 (2004)(ex parte communications)

• Malpractice case involving birth injury where hospital counsel contacted subsequent treating physicians.

• N.Y. law required no patient authorization because bringing suit waived statutory physician-patient privilege.

• N.Y. allowed private ex parte meetings following discovery and would not preclude the doctor from testifying following the filing of a “note of issue.”

• “This federal rule preempts all state laws governing the treatment of PHI unless those laws are more stringent ….”

• As a sanction the court precluded the hospital from introducing opinion testimony from the treaters.


Crenshaw v. Mony Life Ins. Co., 318 F.Supp.2d 1015 (S.D. Calif. 2004)(ex parte communications)

• Diversity case alleging wrongful denial of disability benefits to psychiatrist due to worsening tinnitus.

• Patient saw a Dr. Harris one time years before filing suit.• Defense counsel hired Dr. Harris as an expert witness.

• Court determined defense counsel “violated Hipaa by contacting Dr. Harris ex parte in the absence of a qualified protective order and without a formal discovery request.”

• Plaintiff sought sanctions and disqualification of the expert and defense counsel.

• Court found the Privacy Rule violation not to be egregious and imposed lesser sanctions.


http://www.TexasBarCLE.com/CLE/PMCasemaker.asp?table=US_distctopinions&volume=318&edition=F.Supp.2d&page=1015&id=45454_01


8


Law v. Zuckerman, M.D., 307 F. Supp.2d 705, 707 (D. Md 2004). )(ex parte communications)

• Diversity case alleging gynecological surgical malpractice.

• During trial Ms. Law made an oral motion to prohibit defense counsel from conducting ex parte interviews of her treating physician.

• Court determined the Privacy Rule regulates the methods by which PHI is disclosed by the CE to include oral medical records preempting less stringent Maryland law.

• Good discussion of all the ways PHI can be used in judicial and administrative proceedings.

• Court initially ruled for the defense and changed her mind.

• Did not prohibit defendant from calling treater because it was okay to talk about scheduling testimony, deposition locations, service of a subpoena, etc.


Texas Preemption Analysis by Attorney General

• Preemption Analysis of Texas Laws Relating to the Privacy of Health Information & Health Insurance Portability & Accountability Act (HIPAA) (Nov. 1, 2004)(on file with the Texas Attorney General’s Office).

• Very few State laws were actually preempted because it is not impossible to comply with State and federal law.

• Analyzes the entire body of Texas law in connection with the Hipaa Privacy Rule to include the Texas Civil Practice and Remedies Code, Rules of Evidence, and Texas Cases and Common Law Principles.

• Determined that the medical peer review and medical committee privileges were not preempted by Hipaa.


PHI IN COURT AND ADMIN PROCEEDINGS• CE may disclose PHI in response to: • (1) an order of a court or administrative tribunal, provided

the disclosure is limited to the PHI expressly authorized by the order; or

• (2) a subpoena, discovery request, or other lawful process that is not accompanied by an order of a court or administrative tribunal, if (A) the CE receives satisfactory assurance from the requestor that reasonable efforts have been made by the requesting party to ensure that the individual who is the subject of the PHI that has been requested has been given NOTICE of the request; or (B) the CE receives satisfactory assurance for the requesting party that reasonable efforts have been made by such party to secure a QUALIFIED PROTECTIVE ORDER that meets Hipaa requirements. 42 CFR 164.512(e).


9


PHI IN COURT AND ADMIN PROCEEDINGS

• NOTICE - For purposes of (A) above a CE receives satisfactory assurances from the party seeking PHI if the CE receives from such party a written statement and accompanying documentation demonstrating (1) the requesting party made a good faith attempt to provide written notice to the individual (or, if the individual’s address is unknown to their last known address) and (2) the notice included sufficient information about the litigation or proceeding in which the PHI is requested to permit the individual to raise an objection to the court or administrative tribunal; and (3) the time to raise an objection to the court or administrative tribunal has elapsed; and (4) no objections were filed or all objections filed have been resolved by the court or tribunal and disclosure sought is consistent with such resolution.

• Attachment 5, sample affidavit used to subpoena records.


PHI IN COURT AND ADMIN PROCEEDINGS

• QUALIFIED PROTECTIVE ORDER For purposes of (B) above a CE receives satisfactory assurances from the party seeking PHI if the CE receives from such party a written statement and accompanying documentation demonstrating the parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented i t to the court or admin tribunal with jurisdiction over the dispute, or the party requesting the PHI has requested a qualified protective order from the appropriate tribunal. A Qualified Protective Order is an order of a court or of an admin tribunal or a Stipulation by the parties to the litigation or administrativeproceeding that (1) prohibits the parties from using or disclosing the PHI for any purpose other than the litigation or proceeding for which such information was requested; and (2) requires the return to the CE or destruction of the PHI (including all copiesmade) at the end of the litigation or proceeding.


OCR FAQ-Litigation Use of PHIWhere a covered entity is a party to a legal proceeding, such as a plaintiff ordefendant, the covered entity may use or disclose protected healthinformation for purposes of the litigation as part of its health care operations.The definition of “health care operations” at 45 CFR 164.501 includes acovered entity’s activities of conducting or arranging for legal services to theextent such activities are related to the covered entity’s covered functions(i.e., those functions that make the entity a health plan, health care provider,or health care clearinghouse), including legal services related to an entity’streatment or payment functions. Thus, for example, a covered entity that is adefendant in a malpractice action or a plaintiff in a suit to obtain payment mayuse or disclose protected health information for such litigation as part of itshealth care operations. The covered entity, however, must make reasonableefforts to limit such uses and disclosures to the minimum necessary toaccomplish the intended purpose. See 45 CFR 164.502(b), 164.514(d).

Where the covered entity is not a party to the proceeding, the covered entitymay disclose protected health information for the litigation in response to acourt order, subpoena, discovery request, or other lawful process, provided theapplicable requirements of 45 CFR 164.512(e) for disclosures for judicial andadministrative proceedings are met.

10



Malpractice Course

CONCLUSION



Malpractice Course

Will HughesBoard Certified - Health Law -

Texas Board of Legal Specialization


ATTACHMENT 1

Your Health InformationPrivacy Rights

Providers and health insurers who are required to follow this law must comply with your right to . . .

Privacy is important to all of us

Page 1

You have privacy rights under a federal law that protects your health information. These rights are important for you to know. You can exercise these rights, ask questions about them, and file a complaint if you think your rights are being denied or your health information isn't being protected.

Who must follow this law? Most doctors, nurses,

pharmacies, hospitals, clinics, nursing homes,

and many other health care providers

Health insurance companies, HMOs, most employer group health plans

Certain government programs that pay for health care, such as Medicare

and Medicaid

Ask to see and get a copy of your health recordsYou can ask to see and get a copy of your medical record and other health information. You may not be able to get all of your information in a few special cases. For example, if your doctor decides something in your file might endanger you or someone else, the doctor may not have to give this information to you. In most cases, your copies must be given to you within 30 days, but

this can be extended for another 30 days if you are given a reason. You may have to pay for the cost of copying and mailing if you request

copies and mailing.

Have corrections added to your health informationYou can ask to change any wrong information in your file or add information to your file if it is incomplete. For example, if you and your hospital agree that your file has the wrong result for a test, the hospital must change it. Even if the hospital believes the test result is correct, you still have the right to have your disagreement noted in your file. In most cases the file should be changed within 60 days, but the

hospital can take an extra 30 days if you are given a reason.

Receive a notice that tells you how your health information is used and sharedYou can learn how your health information is used and shared by your provider or health insurer. They must give you a notice that tells you how they may use and share your health information and how you can exercise your rights. In most cases, you should get this notice on your first visit to a provider or in the mail from your health insurer, and you can ask for a copy at any time.

Decide whether to give your permission before your information can be used or shared for certain purposesIn general, your health information cannot be given to your employer, used or shared for things like sales calls or advertising, or used or shared for many other purposes unless you give your permission by signing an authorization form. This authorization form must tell you who will get your information and what your information will be used for.

Your Health Information Privacy Rights

Providers and health insurers who are required to follow this law must comply with your right to . . .

Privacy is important to all of us

Page 2

Published by:

U.S. Department of Health & Human Services Office for Civil Rights

Other privacy rightsYou may have other health information rights under your state's laws. When these laws affect how your health information can be used or shared, that should be made clear in the notice you receive.

For more informationThis is a brief summary of your rights and protections under the federal health information privacy law. You can ask your provider or health insurer questions about how your health information is used or shared and about your rights. You also can learn more, including how to file a complaint with the U.S. Government, at the website at www.hhs.gov/ocr/hipaa/ or by calling 1-866-627-7748; the phone call is free.

Get a report on when and why your health information was shared Under the law, your health information may be used and shared for particular reasons, like making sure doctors give good care, making sure nursing homes are clean and safe, reporting when the flu is in your area, or making required reports to the police, such as reporting gunshot wounds. In many cases, you can ask for and get a list of who your health information has been shared with for these reasons. You can get this report for free once a year. In most cases you should get the report within 60 days, but it can take

an extra 30 days if you are given a reason.

Ask to be reached somewhere other than home You can make reasonable requests to be contacted at different places or in a different way. For example, you can have the nurse call you at your office instead of your home, or send mail to you in an envelope instead of on a postcard. If sending information to you at home might put you in danger, your health insurer must talk, call, or write to you where you ask and in the way you ask, if the request is reasonable.

Ask that your information not be sharedYou can ask your provider or health insurer not to share your health information with certain people, groups, or companies. For example, if you go to a clinic, you could ask the doctor not to share your medical record with other doctors or nurses in the clinic. However, they do not have to agree to do what you ask.

File complaints If you believe your information was used or shared in a way that is not allowed under the privacy law, or if you were not able to exercise your rights, you can file a complaint with your provider or health insurer. The privacy notice you receive from them will tell you who to talk to and how to file a complaint. You can also file a complaint with the U.S. Government.

ATTACHMENT 2

Your Health Information Is ProtectedBy Federal Law

Your Privacy Is Important to All of Us

Page 1

Privacy and YourHealth Information

The Law Gives You Rights Over Your Health Information

Most of us feel that our health and medical information is private and should be protected, and we want to know who has this information. Now, Federal law

Gives you rights over your health information Sets rules and limits on who can look at and receive your health information

Who must follow this law?

Most doctors, nurses, pharmacies, hospitals, clinics, nursing homes, and many other health care providers

Health insurance companies, HMOs, most employer group health plans

Certain government programs that pay for health care, such as Medicare and Medicaid

What information is protected?

Information your doctors, nurses, and other health care providers put in your medical record

Conversations your doctor has about your care or treatment with nurses and others

Information about you in your health insurer's computer system Billing information about you at your clinic Most other health information about you held by those

who must follow this law

Providers and health insurers who are required tofollow this law must comply with your right to

Ask to see and get a copy of your health records Have corrections added to your health information Receive a notice that tells you how your health information may be used and shared Decide if you want to give your permission

before your health information can be used or shared for certain purposes, such as for marketing Get a report on when and why your health

information was shared for certain purposes If you believe your rights are being denied or

your health information isn't being protected, you can

File a complaint with your provider or health insurer File a complaint with the U.S. Government

You should get to know these important rights, which help you protect your health information. You can ask your provider or health insurer questions about your rights. You also can learn more about your rights, including how to file a complaint, from the website at www.hhs.gov/ocr/hipaa/ or by calling 1-866-627-7748;the phone call is free.

The Law Sets Rules and Limits on Who Can Look At and Receive Your Information

For More Information

PRIVACY

Page 2

The Law Protects the Privacy of Your Health Information

Providers and health insurers who are required to follow this law must keep your information private by Teaching the people who work for them how your information may and may not be used and shared Taking appropriate and reasonable steps to keep your health information secure

To make sure that your information is protected in a way that does not interfere with your health care, your information can be used and shared For your treatment and care coordination To pay doctors and hospitals for your health care and help run

their businesses With your family, relatives, friends or others you identify who are

involved with your health care or your health care bills, unless you object

To make sure doctors give good care and nursing homes are clean and safe

To protect the public's health, such as by reporting when the flu is in your area

To make required reports to the police, such as reporting gunshot wounds

Your health information cannot be used or shared without your written permission unless this law allows it. For example, without your authorization, your provider generally cannot Give your information to your employer Use or share your information for marketing or advertising purposes Share private notes about your mental health counseling sessions

Published by:

U.S. Department of Health & Human Services Office for Civil Rights

This is a brief summary of your rights and protections under the federal health information privacy law. You can learn more about health information privacy and your rights in a fact sheet called "Your Health Information Privacy Rights". You can get this from the website at www.hhs.gov/ocr/hipaa/.You can also call 1-866-627-7748; the phone call is free.

Other privacy rightsAnother law provides additional privacy protections to patients of alcohol and drug treatment programs. For more information, go to the website at www.samhsa.gov.

ATTACHMENT 3

Located at the Office of Civil Rights Web site at http://www.hhs.gov/ocr/resource.html

SAMPLE BUSINESS ASSOCIATE CONTRACT PROVISIONS(Published in FR 67 No.157 pg.53182, 53264 (August 14, 2002))

Statement of Intent

The Department provides these sample business associate contract provisions in response to numerousrequests for guidance. This is only sample language. These provisions are designed to help covered entitiesmore easily comply with the business associate contract requirements of the Privacy Rule. However, use ofthese sample provisions is not required for compliance with the Privacy Rule. The language may beamended to more accurately reflect business arrangements between the covered entity and the businessassociate.

These or similar provisions may be incorporated into an agreement for the provision of services betweenthe entities or they may be incorporated into a separate business associate agreement. These provisions onlyaddress concepts and requirements set forth in the Privacy Rule and alone are not sufficient to result in abinding contract under State law. They do not include many formalities and substantive provisions that arerequired or typically included in a valid contract. Reliance on this sample is not sufficient for compliancewith State law and does not replace consultation with a lawyer or negotiations between the parties to thecontract.

Furthermore, a covered entity may want to include other provisions that are related to the Privacy Rule butthat are not required by the Privacy Rule. For example, a covered entity may want to add provisions in abusiness associate contract in order for the covered entity to be able to rely on the business associate to helpthe covered entity meet its obligations under the Privacy Rule. In addition, there may be permissible uses ordisclosures by a business associate that are not specifically addressed in these sample provisions, forexample having a business associate create a limited data set. These and other types of issues will need tobe worked out between the parties.

Sample Business Associate Contract Provisions1

Definitions (alternative approaches)

Catch-all definition:

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms inthe Privacy Rule.

Examples of specific definitions:

1. Business Associate. "Business Associate" shall mean [Insert Name of Business Associate].

2. Covered Entity. "Covered Entity" shall mean [Insert Name of Covered Entity].

3. Individual. "Individual" shall have the same meaning as the term "individual" in 45 CFR § 164.501and shall include a person who qualifies as a personal representative in accordance with 45 CFR §164.502(g).

4. Privacy Rule. "Privacy Rule" shall mean the Standards for Privacy of Individually IdentifiableHealth Information at 45 CFR Part 160 and Part 164, Subparts A and E.

5. Protected Health Information. "Protected Health Information" shall have the same meaning as theterm "protected health information" in 45 CFR § 164.501, limited to the information created or received byBusiness Associate from or on behalf of Covered Entity.

6. Required By Law. "Required By Law" shall have the same meaning as the term "required by law" in45 CFR § 164.501.

7. Secretary. "Secretary" shall mean the Secretary of the Department of Health and Human Services orhis designee.

Obligations and Activities of Business Associate

1. Business Associate agrees to not use or disclose Protected Health Information other than as permittedor required by the Agreement or as Required By Law.

2. Business Associate agrees to use appropriate safeguards to prevent use or disclosure of the ProtectedHealth Information other than as provided for by this Agreement.

3. Business Associate agrees to mitigate, to the extent practicable, any harmful effect that is known toBusiness Associate of a use or disclosure of Protected Health Information by Business Associate inviolation of the requirements of this Agreement. [This provision may be included if it is appropriate for theCovered Entity to pass on its duty to mitigate damages to a Business Associate.]

4. Business Associate agrees to report to Covered Entity any use or disclosure of the Protected HealthInformation not provided for by this Agreement of which it becomes aware.

5. Business Associate agrees to ensure that any agent, including a subcontractor, to whom it providesProtected Health Information received from, or created or received by Business Associate on behalf ofCovered Entity agrees to the same restrictions and conditions that apply through this Agreement toBusiness Associate with respect to such information.

6. Business Associate agrees to provide access, at the request of Covered Entity, and in the time andmanner [Insert negotiated terms], to Protected Health Information in a Designated Record Set, to CoveredEntity or, as directed by Covered Entity, to an Individual in order to meet the requirements under 45 CFR §164.524. [Not necessary if business associate does not have protected health information in a designatedrecord set.]

7. Business Associate agrees to make any amendment(s) to Protected Health Information in a DesignatedRecord Set that the Covered Entity directs or agrees to pursuant to 45 CFR § 164.526 at the request ofCovered Entity or an Individual, and in the time and manner [Insert negotiated terms]. [Not necessary ifbusiness associate does not have protected health information in a designated record set.]

8. Business Associate agrees to make internal practices, books, and records, including policies andprocedures and Protected Health Information, relating to the use and disclosure of Protected HealthInformation received from, or created or received by Business Associate on behalf of, Covered Entityavailable [to the Covered Entity, or] to the Secretary, in a time and manner [Insert negotiated terms] ordesignated by the Secretary, for purposes of the Secretary determining Covered Entity's compliance withthe Privacy Rule.

9. Business Associate agrees to document such disclosures of Protected Health Information andinformation related to such disclosures as would be required for Covered Entity to respond to a request byan Individual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR§ 164.528.

10. Business Associate agrees to provide to Covered Entity or an Individual, in time and manner [Insertnegotiated terms], information collected in accordance with Section [Insert Section Number in ContractWhere Provision (i) Appears] of this Agreement, to permit Covered Entity to respond to a request by anIndividual for an accounting of disclosures of Protected Health Information in accordance with 45 CFR §164.528.

Permitted Uses and Disclosures by Business Associate

General Use and Disclosure Provisions [(a) and (b) are alternative approaches]

1. Specify purposes:

Except as otherwise limited in this Agreement, Business Associate may use or disclose ProtectedHealth Information on behalf of, or to provide services to, Covered Entity for the following purposes, ifsuch use or disclosure of Protected Health Information would not violate the Privacy Rule if done byCovered Entity or the minimum necessary policies and procedures of the Covered Entity: [List Purposes].

2. Refer to underlying services agreement:

Except as otherwise limited in this Agreement, Business Associate may use or disclose ProtectedHealth Information to perform functions, activities, or services for, or on behalf of, Covered Entity asspecified in [Insert Name of Services Agreement], provided that such use or disclosure would not violatethe Privacy Rule if done by Covered Entity or the minimum necessary policies and procedures of theCovered Entity.

Specific Use and Disclosure Provisions [only necessary if parties wish to allow Business Associate toengage in such activities]

1. Except as otherwise limited in this Agreement, Business Associate may use Protected HealthInformation for the proper management and administration of the Business Associate or to carry out thelegal responsibilities of the Business Associate.

2. Except as otherwise limited in this Agreement, Business Associate may disclose Protected HealthInformation for the proper management and administration of the Business Associate, provided thatdisclosures are Required By Law, or Business Associate obtains reasonable assurances from the person towhom the information is disclosed that it will remain confidential and used or further disclosed only asRequired By Law or for the purpose for which it was disclosed to the person, and the person notifies theBusiness Associate of any instances of which it is aware in which the confidentiality of the information hasbeen breached.

3. Except as otherwise limited in this Agreement, Business Associate may use Protected HealthInformation to provide Data Aggregation services to Covered Entity as permitted by 45 CFR §164.504(e)(2)(i)(B).

4. Business Associate may use Protected Health Information to report violations of law to appropriateFederal and State authorities, consistent with § 164.502(j)(1).

Obligations of Covered Entity

Provisions for Covered Entity to Inform Business Associate of Privacy Practices and Restrictions[provisions dependent on business arrangement]

1. Covered Entity shall notify Business Associate of any limitation(s) in its notice of privacy practices ofCovered Entity in accordance with 45 CFR § 164.520, to the extent that such limitation may affectBusiness Associate's use or disclosure of Protected Health Information.

2. Covered Entity shall notify Business Associate of any changes in, or revocation of, permission byIndividual to use or disclose Protected Health Information, to the extent that such changes may affectBusiness Associate's use or disclosure of Protected Health Information.

3. Covered Entity shall notify Business Associate of any restriction to the use or disclosure of ProtectedHealth Information that Covered Entity has agreed to in accordance with 45 CFR § 164.522, to the extentthat such restriction may affect Business Associate's use or disclosure of Protected Health Information.

Permissible Requests by Covered Entity

Covered Entity shall not request Business Associate to use or disclose Protected Health Information in anymanner that would not be permissible under the Privacy Rule if done by Covered Entity. [Include anexception if the Business Associate will use or disclose protected health information for, and the contractincludes provisions for, data aggregation or management and administrative activities of BusinessAssociate].

Term and Termination

1. Term. The Term of this Agreement shall be effective as of [Insert Effective Date], and shall terminatewhen all of the Protected Health Information provided by Covered Entity to Business Associate, or createdor received by Business Associate on behalf of Covered Entity, is destroyed or returned to Covered Entity,or, if it is infeasible to return or destroy Protected Health Information, protections are extended to suchinformation, in accordance with the termination provisions in this Section. [Term may differ.]

2. Termination for Cause. Upon Covered Entity's knowledge of a material breach by Business Associate,Covered Entity shall either:

1. Provide an opportunity for Business Associate to cure the breach or end the violation and terminatethis Agreement [and the _________ Agreement/ sections ____ of the ______________ Agreement] ifBusiness Associate does not cure the breach or end the violation within the time specified by CoveredEntity;

2. Immediately terminate this Agreement [and the _________ Agreement/ sections ____ of the______________ Agreement] if Business Associate has breached a material term of this Agreement andcure is not possible; or

3. If neither termination nor cure are feasible, Covered Entity shall report the violation to theSecretary.

[Bracketed language in this provision may be necessary if there is an underlying servicesagreement. Also, opportunity to cure is permitted, but not required by the Privacy Rule.]

3. Effect of Termination.

1. Except as provided in paragraph (2) of this section, upon termination of this Agreement, for anyreason, Business Associate shall return or destroy all Protected Health Information received from CoveredEntity, or created or received by Business Associate on behalf of Covered Entity. This provision shall applyto Protected Health Information that is in the possession of subcontractors or agents of Business Associate.Business Associate shall retain no copies of the Protected Health Information.

2. In the event that Business Associate determines that returning or destroying the Protected HealthInformation is infeasible, Business Associate shall provide to Covered Entity notification of the conditionsthat make return or destruction infeasible. Upon [Insert negotiated terms] that return or destruction ofProtected Health Information is infeasible, Business Associate shall extend the protections of thisAgreement to such Protected Health Information and limit further uses and disclosures of such ProtectedHealth Information to those purposes that make the return or destruction infeasible, for so long as BusinessAssociate maintains such Protected Health Information.

Miscellaneous

1. Regulatory References. A reference in this Agreement to a section in the Privacy Rule means thesection as in effect or as amended.

2. Amendment. The Parties agree to take such action as is necessary to amend this Agreement from timeto time as is necessary for Covered Entity to comply with the requirements of the Privacy Rule and theHealth Insurance Portability and Accountability Act of 1996, Pub. L. No. 104-191.

3. Survival. The respective rights and obligations of Business Associate under Section [Insert SectionNumber Related to "Effect of Termination"] of this Agreement shall survive the termination of thisAgreement.

4. Interpretation. Any ambiguity in this Agreement shall be resolved to permit Covered Entity to complywith the Privacy Rule.

1 Words or phrases contained in brackets are intended as either optional language or as instructions to theusers of these sample provisions and are not intended to be included in the contractual provisions.

HHS Home | OCR Home | Topics | For KidsDisclaimers | Privacy Notice | FOIA | Accessibility | Contact UsLast revised: August 13, 2004

ATTACHMENT 4

Month day, year John R. Doe, M.D. Via Federal Express SUPER-DOCTORS, INC. 5555 Medical Drive, Suite 999 San Antonio, TX 78777-6406 Re: Agreement for Protecting and Maintaining

the Confidentiality of Health Care Information

Dear Dr. Doe: Our office represents ____________ Medical Center which may qualify as a covered entity under the Hipaa Privacy Rule. Assuming our client is a covered entity, we would be functioning as a business associate of this institution. This institution is and/or we on behalf of this institution [insert appropriate activity: quality review and analyses, investigating a claim etc.] would fall within the parameters of the regulatory definition of health care operations. We are engaging you and your office on behalf of our client and require that you and your office maintain as confidential all of our communications, documents, and tangible things sent to you in connection with this matter. Please do not discuss this matter with any third parties. You have indicated your willingness to assist us by providing an independent medical review of certain records from our client. These records will of necessity contain health information of one or more individuals. In order to assist us in complying with the requirements of the Hipaa Privacy Rule, we ask that you review this letter agreement. If you are willing to comply with the terms contained herein, we ask that you sign below and return this letter to us if you are willing to agree that you, your office, and staff will be bound by all of the terms and conditions contained herein. The terms of this agreement are as follows: 1. You will not discuss this matter with any third parties without our approval except where

otherwise required by law to do so. 2. You will not release documents or information contained in any materials sent to you to any third

parties except where otherwise legally obligated to do so without our prior approval. 3. You will maintain the confidentiality of the information provided to you and will appropriately

secure this information. 4. You will only use information provided to you for the purpose or purposes for which it was

disclosed to you. 5. You will notify us as soon as possible should you learn or suspect that the confidentiality of the

information maintained by you has been compromised. 6. You will not use or further disclose the information provided to you except as permitted by our

office or as otherwise required by law. 7. You will use appropriate safeguards as necessary to prevent disclosure of information provided

to you. 8. You will report any use or disclosure not contemplated by this agreement you become aware

of. 9. You will make available any applicable internal practices, books, and records relating to use

and disclosure of information received from our office as necessary to facilitate a compliance review.

10. You will return or destroy all information received from our office or created by you in connection with your work on any matter subject to this agreement.

11. If you and I or my staff agree it is not feasible to destroy or return any information in connection with your review, you agree to extend this agreement to continuously protect any information provided to you and will limit further uses and disclosures of such information.

12. You understand that our office may terminate this agreement immediately and arrange for the return at our cost of all materials provided to you.

13. You understand that the materials provided to you may include medical and billing records; however, these documents are not the original or a duplicate original of a designated record set as same is defined in the Hipaa privacy rule .

14. You agree to cooperate as may be necessary with our office, our client, and any governmental representative in the event of any investigation involving our client=s compliance with 45 CFR Parts 160 and 164.

Please return this letter agreement to me at your earliest opportunity. Very truly yours, Agreed to and Approved: LAW FIRM, LLP SUPER-DOCTORS, INC. By: By: Lawyer John R. Doe, M.D.

ATTACHMENT 5

TO: Applicable Treating Physician c/o The MCS Group, Inc.

Re: Subpoenas for [INSERT NAMES OF PLAINTIFFS]

ATTORNEY CERTIFICATION/STATEMENT OF ASSURANCE

As the attorney filing the attached deposition on written questions for records pertaining tothe above-named individuals, and causing the court reporter to issue subpoenas for these records,I hereby certify that the following statements are true and have attached hereto documentationdemonstrating that each of these facts is true:

(1) I have provided written notice to the above patients through the patients= retainedcounsel, A_____ A________ of Law Offices of _________________ as isdemonstrated by the attached copy of the certified mail, return receipt requested(copy of the green card) signifying his office received the written questions onJanuary _, 2004.

(2) The notices that I provided and filed with the court included sufficient informationabout the litigation or proceeding for which the protected health information isrequested to permit the patients through his or her attorney to raise an objection tothe court or administrative tribunal.

(3) The time for the patient to raise objections to the written deposition with the courthas elapsed and no objections were filed.

Signature of Attorney Issuing Subpoena

Date

SWORN TO AND SUBSCRIBED BEFORE ME, on this day of January, 2004.

NOTARY PUBLIC AND FOR THE STATE OF TEXAS

My Commission Expires:

The HIPAA Privacy Rule – An Overview For Counsel Chapter 11

i

TABLE OF CONTENTS

POWERPOINT SLIDES

APPENDICES

I. THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996..................................... 1

II. THE HIPAA PRIVACY RULE—WHAT AND WHO DOES IT REGULATE ...................................................... 1

III. OVERVIEW OF THE PRIVACY RULE......................................................................................................... 1

IV. THE PRIVACY RULE IMPACTS EVERYONE--INCLUDING LAWYERS........................................................ 1

V. WHAT IS PROTECTED HEALTH CARE INFORMATION ............................................................................ 2

VI. SCOPE OF THE PRIVACY RULE AND CERTAIN RIGHTS AFFORDED TO PATIENTS ................................ 2

VII. EXCEPTIONS TO THE PRIVACY RULES FOR COVERED ENTITIES’ BUSINESS ACTIVITIES .................... 2

VIII. APPROPRIATE SAFEGUARDS AND MINIMUM NECESSARY..................................................................... 2

IX. TREATMENT PAYMENT AND HEALTH CARE OPERATIONS USES OF PHI ............................................... 3 A. Treatment ........................................................................................................................................... 3 B. Payment ............................................................................................................................................. 3 C. Health Care Operations ......................................................................................................................... 3

X. OVERVIEW OF BUSINESS ASSOCIATES................................................................................................... 3

XI. ATTORNEYS AS BUSINESS ASSOCIATES ................................................................................................ 4 A. General Requirements........................................................................................................................... 4 B. Access to PHI ..................................................................................................................................... 5 C. Attorney Work Product Protected.......................................................................................................... 5 D. Right to Amend PHI ............................................................................................................................. 5 E. Retaining Medical Experts..................................................................................................................... 6

XII. PREEMPTION OF STATE LAW ................................................................................................................. 6 A. Privacy Rule Preemption Provision ........................................................................................................ 6 B. Preemption Analysis by the Texas Attorney General................................................................................. 7

1. Background.................................................................................................................................. 7 2. Medical Peer Review Committee and Medical Committee Privileges .................................................... 7

C. Court Cases Discussing Privacy Rule Preemption.................................................................................... 7 1. Federal Question Cases and More Stringent State Laws..................................................................... 7 2. Privacy Rule Governs Ex Parte Contacts With Treating Physicians..................................................... 8

XIII. DISCLOSURES OF PHI IN JUDICIAL AND ADMINISTRATIVE PROCEEDINGS.......................................10 A. General Requirements..........................................................................................................................10 B. Notification Provision for Obtaining PHI in Court and Administrative Proceedings......................................11 C. Qualified Protective Order Means of Obtaining PHI in Court or Administrative Proceedings ........................11

XIV. NO PRIVATE RIGHT OF ACTION FOR HIPAA VIOLATIONS....................................................................11 A. Case Law...........................................................................................................................................11 B. Texas’ Medical Records Privacy Statute – No Private Right of Action Allowed..........................................12

XV. TEX. CIV. & PRAC. CODE § 74.052 AUTHORIZATIONS ...........................................................................12

XVI. CONCLUSION..........................................................................................................................................12


1

THE HIPAA PRIVACY RULE – AN OVERVIEW FOR COUNSEL

Will Hughes Adams & Graham, L.L.P.

_________________________________________________________________________

I. THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 The U.S. Dept. of Health and Human Services

promulgated the Privacy Rule as required by the Health Insurance Portability and Accountability Act of 1996, Public Law No. 104-191, 110 Stat.1936 (1996) (the Act or Hipaa). Part C of Subchapter XI titled Administrative Simplification allows the Department to enact the regulation. 42 U.S.C.A. §§ 1320d-1320d-8 (West 2003 & Supp. 2004). The Privacy Rule itself is found in the Code of Federal Regulations at 45 C.F.R. Parts 160 and 164. See generally 45 C.F.R. §§ 160.101-.312 and 45 C.F.R. §§ 164.102-.534 (Standards for Privacy of Individually Identifiable Health Information). II. THE HIPAA PRIVACY RULE—WHAT AND

WHO DOES IT REGULATE This paper will focus on the Hipaa Privacy Rule as it

applies to lawyers who interact with health care providers who are subject to the Rule’s requirements. Lawyers who represent health care providers need to understand how the Privacy Rule works. Counsel should not violate obligations the Privacy Rule imposes on their clients, and derivatively, on attorneys representing health care providers. Lawyers who seek medical information from health care providers and other entities subject to the requirements of the Privacy Rule also need to understand how the Privacy Rule operates. Courts have sanctioned attorneys for not complying with the Privacy Rule. The Privacy Rule became effective on April 14, 2003, and applies to Covered Entities. Covered Entities are health plans, health care clearinghouses, (45 C.F.R. § 160.102), and a health care provider that transmits any health information electronically, (42. U.S.C.A. § 1320d-1(a)(3) (West 2003)), in connection with certain transactions enumerated in the Administrative Simplification provisions of the Act. 42. U.S.C.A. § 1320d-2(a) (2) (West 2003). These transactions include health care claims status, encounter information, health care payment and remittance advice. The Privacy Rule governs uses and disclosures of protected health care information (PHI) by covered entities.

A health care provider is defined as a provider of medical or health services and any other person or organization who furnishes, bills, or is paid for health care in the normal course of business. 45 C.F.R. § 160.103. This definition is broader than hospitals, physicians, and other State licensed institutions we typically think of as health care providers. The federal government hopes the Privacy Rule will improve the efficiency and effectiveness of the public and private health care system by establishing

uniform standards for the electronic transmission of health information and creating federal privacy rights. 110 Stat. 2021, Subtitle F, § 261 (“It is the purpose of this subtitle to improve . . . the efficiency and effectiveness of the health care system.”).

III. OVERVIEW OF THE PRIVACY RULE

The Hipaa Privacy Rule regulates the way that Covered Entities use and disclose PHI. Health information as defined in the Hipaa Privacy Rule is very broad and includes both oral and recorded information in any form or medium created or received by a health care provider. Health information is information relating to the past, present, or future physical or mental health or condition of an individual. It also includes information relating to the past, present or future payment for health care provided to an individual. 42 U.S.C.A. § 1320d(4) (West 2004); 45 C.F.R. § 160.103(2004)(Health information).

The Privacy Rule effectively federalized and expanded protections for health information. Office of Civil Rights of the Department of Health and Human Services, Standards for Privacy of Individually identifiable Health Information 1 (2002)(hereafter referred to as “OCR Guidance”).

The Privacy Rule establishes, for the first time, a foundation of Federal protections for the privacy of protected health information. The Rule does not replace Federal, State or other law that grants individuals even greater privacy protections . . . .

OCR Guidance at 3. The OCR of the Department of Health and Human Services is responsible for civil enforcement of the Privacy Rule. Two key goals of the Hipaa Privacy Rule as enunciated by the OCR are to provide strong federal protections for privacy rights while preserving quality health care as it exists in the United States. OCR Guidance 1. IV. THE PRIVACY RULE IMPACTS EVERYONE--

INCLUDING LAWYERS By regulating Covered Entities who are the source of

individual health information, the Privacy Rule can limit the dissemination of health information to lawyers, litigants, and other individuals and entities that interact with Covered Entities. The Privacy Rule limits the ability of a Covered Entity to release PHI to third parties including counsel who need access to PHI to perform tasks on behalf of a Covered Entity. The Privacy Rule requires that health care providers notify patients of their privacy rights and provide


2

information on how the Covered Entity can use its patients’ PHI. 45 C.F.R. § 164.520, OCR Guidance 5. The Privacy Rule requires that Covered Entities adopt appropriate privacy procedures for their institution or practice. Covered Entities must train their employees so they understand privacy procedures, and designate an individual privacy officer who is responsible for ensuring that the entity or practice adopts appropriate privacy policies and follows them. 45 C.F.R. § 164.530, OCR Guidance 5. Covered Entities must implement reasonable safeguards to protect PHI. Id. In certain circumstances, a Covered Entity may only release the amount of PHI minimally necessary to achieve a particular purpose allowed by the Privacy Rule. 45 C.F.R. § 164.502(b). V. WHAT IS PROTECTED HEALTH CARE

INFORMATION Protected health information is broadly defined in the

Privacy Rule as individually identifiable health information transmitted by electronic media, and maintained or transmitted in any form or medium. 45 C.F.R. § 164.501. Health information is defined as any information, whether oral or recorded in any form or medium created or received by a health care provider relating to past present or future physical or mental health and payment for the provision of health care. 45 C.F.R. § 160.102. Individually identifiable health information is defined as any information relating to an individual’s physical or mental health, to include demographic information, payment information, and any information that identifies the individual. 45 C.F.R. § 160.102. VI. SCOPE OF THE PRIVACY RULE AND CERTAIN

RIGHTS AFFORDED TO PATIENTS The scope of the Privacy Rule is very broad and it

strictly regulates how a covered entity can use its patients’ PHI. A Covered Entity may not use or disclose PHI except as permitted by the Privacy Rule. 45 C.F.R. § 164.502(a). This is important for lawyers that access PHI while providing legal services to Covered Entities. This is also important to lawyers seeking PHI from Covered Entities. The Privacy Rule contains a comprehensive listing of permissible and mandatory uses and disclosures of PHI. Mandatory disclosures of PHI include a patient’s right to access his or her PHI and a right to an accounting of certain disclosures made in the preceding six years. 45 C.F.R. § 164.524; 45 C.F.R. § 164.528. VII. EXCEPTIONS TO THE PRIVACY RULES FOR

COVERED ENTITIES’ BUSINESS ACTIVITIES The most important permissible disclosures are

Treatment-related, Payment-related, and Health care operations-related disclosures. Treatment, payment, and health care operations are typically referred to as TPO. It is important to note that the patient’s right to an accounting does not include a requirement that the Covered Entity

account for PHI used for treatment-payment-operational (TPO) purposes. 45 C.F.R. § 164.528 (right to an accounting does not apply to treatment, payment, and health care operations as defined in 45 C.F.R. § 164.506). No consent or authorization from the patient is generally required for TPO use and disclosure of PHI. See 45 C.F.R. § 164.506(b)(1) (indic ating that a covered entity “may” obtain a consent for TPO use of PHI”); OCR Guidance 55 (interpreting the general provisions of §164.506 as allowing a Covered Entity, without an individual’s authorization, to use PHI for its own treatment, payment and health care operations activities).

It is important to point out that the Privacy Rule allows for certain incidental uses and disclosures of PHI as a byproduct of another permissible or required use or disclosure of PHI. 45 C.F.R. § 164.502(a)(1)(iii). Examples of permissible incidental uses and disclosures given by the Department’s Office of Civil Rights are: health care staff orally coordinating services at nursing stations, nurses or other health care professionals discussing a patient’s condition over the phone with a patient, provider, or family member; a health care professional discussing lab test results with a patient or other provider in a joint treatment area; a physician discussing a patient’s condition with a patient in a semi-private room; or health care professionals discussing a patient’s condition on training rounds. The Office of Civil Rights notes that in these circumstances reasonable precautions might include using lowered voices or talking apart from others if practicable. OCR Guidance 14-15. VIII. APPROPRIATE SAFEGUARDS AND MINIMUM

NECESSARY Incidental uses and disclosures are permissible as long

as the Covered Entity applies appropriate safeguards and complies with the minimum necessary regulatory requirement. 45 C.F.R. § 164.514(d), OCR Guidance 11. Appropriate safeguards means a Covered Entity must have appropriate administrative, technical, and physical safeguards that protect against uses and disclosures not permitted by the Privacy Rule. See 45 C.F.R. § 164.530(c), OCR Guidance 11. Examples given of appropriate safeguards are: avoiding using patient names in hallways and elevators, posting signs to remind employees to protect patient confidentiality, locking filing cabinets or patient records’ rooms, and speaking quietly when discussing a patient’s condition with family members. OCR Guidance 12. The minimum necessary requirement means that a Covered Entity must limit who within the entity has access to PHI based on who needs access to perform their job duties. 45 C.F.R. § 164.502(b); OCR Guidance 12. An incidental use or disclosure is not permitted if the use or disclosure occurs as a result of a Covered Entity’s failing to apply reasonable safeguards or the minimum necessary requirement. 45 C.F.R. § 164.514(d).


3

The minimum necessary standard requires that for many routine business-related activities a Covered Entity would not need to make all of a patient’s individually identifiable information available to everyone in the institution. See generally 45 C.F.R. § 164.502(b) and 45 C.F.R. § 164.514(d). A Covered Entity is required to identify those individuals or classes of individuals who need access to PHI and take reasonable efforts to limit these individuals’ access to what is needed. 45 C.F.R. § 164.514(d)(2). For routine and recurrent disclosures a Covered Entity must implement policies and procedures that limit the PHI disclosed to the amount reasonably necessary to achieve the purpose of the disclosure. 45 C.F.R. § 164.514(d)(3)(i). For all other disclosures a Covered Entity must develop criteria designed to limit the dissemination of PHI disclosed to that reasonably necessary to accomplish the purpose for which disclosure is sought. 45 C.F.R. § 164.514(d)(3)(ii)(A). The Covered Entity must review non-routine requests for disclosure of PHI in accordance with its developed criteria. 45 C.F.R. § 64.514(d)(3)(ii)(B). IX. TREATMENT PAYMENT AND HEALTH CARE

OPERATIONS USES OF PHI A. Treatment

The Privacy Rule encompasses direct and indirect treatment relationships between health care providers and individual patients. Treatment encompasses direct hands on care as well as the indirect provision of health care services amongst providers of health care goods and services. 45 C.F.R. § 164.501. Treatment is defined as the provision, coordination, or management of health care by one or more health care providers and includes consultation between health care providers and patient referrals 45 C.F.R. § 164.501. The Privacy Rule allows Covered Entities to freely share PHI with other covered entities and individuals who are not covered entities when treating patients. OCR Guidance 56. The minimum necessary standard does not apply to treatment. 45 C.F.R. § 164.502(b)(2). B. Payment

Payment is defined in the Privacy Rule as those activities that a health care provider undertakes to obtain or provide reimbursement for the provision of health care. 45 C.F.R. § 164.501. The minimum necessary standard applies to payment-related disclosures of PHI. See 45 C.F.R. § 164.502(b)(1). The covered entity must when using or disclosing PHI or requesting PHI from another entity for payment-related activities make reasonable efforts to limit PHI to the minimum necessary to accomplish the goal of obtaining payment for health care services. See 45 C.F.R. § 164.502(b)(2). Examples of payment-related activities include billing and collection activities, utilization review activities, and disclosing limited specified identifying

information to consumer reporting agencies. OCR Guidance 55.

C. Health Care Operations

The minimum necessary standard applies to operational activities. 45 C.F.R. § 164.502(b)(1). Health care operations include quality assessment and improvement activities, outcomes evaluation, case management and care coordination and contacting patients with information about treatment alternatives and related functions that do not involve treatment. 45 C.F.R. § 164.501. Operations also include reviewing the competence of health care professionals, evaluating practitioner and provider performance, conducting or arranging for medical and legal review and auditing activities. Id. Other more generic operational items include business planning, managerial functions, customer service, resolution of internal grievances, the sale, transfer, and merger and consolidation activities associated with disposition of all or a part of a Covered Entity’s assets, and resolution of internal grievances within the entity. Id.

TPO permitted uses and disclosures of PHI generally allow the Covered Entity to avoid obtaining an authorization, consent, or provide an accounting to the Covered Entity’s patient. 45 C.F.R. § 164.528 (right to an accounting does not apply to treatment, payment, and health care operations as defined in 45 C.F.R. § 164.506). The Covered Entity must provide the patient with notice of the uses and disclosures of PHI that may be made by the covered entity. 45 C.F.R. § 164.520(a)(1), but cf. 45 C.F.R. § 164.520(a)(2), (3)(exceptions for group health plans and inmates). A Covered Entity is required to provide the patient with its notice of privacy practices and describe all uses and disclosures of PHI that the provider is permitted and required to make. See Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82461, 82549 (2000)(Covered Entities must describe all uses and disclosures of protected health information that they are permitted or required to make under the notice of privacy practices rule without an authorization). The Notice of Privacy Practices must contain a description and at least one example of the types of uses and disclosures that the Covered Entity is permitted to make for treatment, payment, and health care operations. 45 C.F.R. § 164.520(b)(1)(ii). X. OVERVIEW OF BUSINESS ASSOCIATES

The Privacy Rule defines Business Associates as persons who assist a covered entity in a function or activity involving the use or disclosure of individually identifiable health information. 45 C.F.R. § 160.103. The definition of a Business Associate specifically includes a person who provides legal and other consulting services. 45 C.F.R. § 160.103. A Business Associate does not include a member of the Covered Entity’s workforce. Id. Workforce includes employees, volunteers, trainees, and others who


4

perform work for a Covered Entity and are under the direct control the Covered Entity regardless of whether or not the Covered Entity pays them. Id. A Covered Entity may reasonably rely on the judgment of a Business Associate providing professional services as to the minimum necessary amount of PHI needed. The professional Business Associate must state the amount of PHI needed is the minimum necessary required for the stated professional purpose. 45 C.F.R. § 164.514(d)(3)(iii)(C) (2004)(professional must represent information requested is the minimum necessary for stated purpose).

A Covered Entity may disclose PHI to its Business Associates and may allow the Business Associate to create or receive PHI if the Covered Entity obtains satisfactory assurances the Business Associate will appropriately safeguard the information. 45 C.F.R. § 164.502(e)(1)(i). The Covered Entity must document the satisfactory assurances through a written contract or other written agreement or arrangement with the Business Associate. 45 C.F.R. § 164.502(e)(2). A Covered Entity is non-compliant if it knows the business associate engaged in a pattern or practice of violating the Business Associate’s obligations under the contract. 45 C.F.R. § 164.504(e)(1)(ii). However, the Covered Entity is not liable for or required to monitor the actions of its Business Associate. If a Business Associate does not comply with its contractual obligations the Covered Entity must terminate the contract or, if termination is not feasible, report the problem to the Secretary of the Department of Health and Human Services. 45 C.F.R. § 164.504(e)(1)(ii) (2004).

The Contract, commonly referred to as a business associate agreement or BAA must: establish the permitted and required uses and disclosures of PHI by the Business Associate (45 C.F.R. § 164.504(e)(2)(i)); not authorize the Business Associate to use or further disclose PHI in a way that would violate the implementation specifications concerning standard business associate contracts (45 C.F.R. § 164.504(e)(2)(i)); require that the Business Associate not further disclose the information other than as permitted by the contract or required by law (45 C.F.R. § 164.504(e)(2)(ii)(A)); and require that the Business Associate use appropriate safeguards to prevent use or disclosure other than as provided by the contract and report such use or disclosure to the Covered Entity. 45 C.F.R. § 164.504(e)(ii)(B), (C). The contract must also require that the Business Associate ensure that any agents including a subcontractor to whom it provides PHI agree to the same restrictions and conditions that apply to the Business Associate. 45 C.F.R. § 164.504(e)(ii)(D).

A Business Associate contract must require that the Business Associate make certain PHI available to the patient in accordance with the Privacy Rule’s right of access requirement. 45 C.F.R. § 164.504(e)(ii)(E). The contract must also allow the patient to amend its PHI as appropriate 45 C.F.R. § 164.504(e)(ii)(F), and make available information required for an accounting of disclosures, as

required by the Privacy Rule. 45 C.F.R. § 164.504(e)(ii)(G). The contract must require that the Business Associate make its internal practices about use and disclosure of PHI available to the Secretary of the Department of Health and Human Services for purposes of determining the Covered Entities compliance with the rules governing Covered Entity-Business Associate arrangements. 45 C.F.R. § 164.504(e)(ii)(H). The contract must also require that at the termination of the contract the Business Associate must return or destroy all PHI received from or created by the Business Associate on behalf of the Covered Entity. If destruction or return of the PHI is not feasible, the contract must extend its protection to this information and limit further uses of the PHI. 45 C.F.R. § 164.504(e)(ii)(I). XI. ATTORNEYS AS BUSINESS ASSOCIATES A. General Requirements

The Privacy Rule definition of a Business Associate specifically references retained counsel by defining Business Associates as persons who “[p]rovide[], other than in the capacity of a member of the workforce of such covered entity, legal . . . services to or for such covered entity, . . . where the provision of the service involves the disclosure of individually identifiable health information from such covered entity . . . to the person.” 45 C.F.R. § 160.103. Health care operations also specifically references “[c]onducting or arranging for legal services.” 45 C.F.R. § 164.501. So it is evident the Secretary of the U.S. Department of Health and Human Services contemplated regulating lawyers whose representation involves access to PHI as Business Associates engaged in health care operations on behalf of their Covered Entity client. Consequently, the Privacy Rule requires that the Covered Entity obtain a business associate agreement from the lawyer in accordance with the implementation specifications concerning business associate contracts. See 45 C.F.R. § 164.504(e)(1). Retained medical malpractice defense attorneys would be an example of outside counsel who qualify as business associates. Note however, that in house counsel would be considered members of the Covered Entity’s workforce.

Lawyers are only indirectly subject to regulation by the Department of Health and Human Services by virtue of the obligations the Privacy Rule places on Covered Entities. See Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82461, 82471 (2000). Attorneys representing health care providers are subject to their respective State Bars’ Rules of Professional Conduct. In Texas, the Preamble to the Rules of Professional Conduct requires that a lawyer provide his client with an informed understanding of the client’s legal rights and obligations and explains their implications. Tex. Disciplinary R. Prof’l Conduct preamble ¶¶ 2 reprinted in Tex. Gov’t Code Ann., tit. 2, subtit. G app. A (Vernon 1998). A lawyer’s duty of ordinary care to his client would also


5

suggest that an attorney not subject his Covered Entity client to possible regulatory sanctions and that the lawyer follow the dictates of the Privacy Rule while working on behalf of the client.

Covered Entities may share PHI with their attorneys without an authorization or patient consent because health care operations encompasses legal services. See 45 C.F.R. § 164.506(a), (c)(1)(Covered Entity is permitted to use or disclose PHI for its own treatment, payment, or health care operations), OCR Guidance 58 (“Consent. A covered entity may voluntarily choose, but is not required, to obtain the individual’s consent for it to use and disclose information about him or her for treatment, payment, and health care operations.”)(emphasis added). Counsel for a Covered Entity should review its health care provider client’s notice of privacy practices to ensure that the activities the attorney engages in fall within the scope of the provider’s notice since a Covered Entity is required to provide the patient with its notice of privacy practices that describes the uses and disclosures of PHI the provider is permitted to make and describe operational uses and disclosures and provide an example of an operational use and disclosure. 45 C.F.R. § 164.520(b)(1)(ii) (2004); Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82461, 82490-91 (2000).

The Business Associate Agreement with the attorney’s client requires that the attorney agree to provide an individual with a right of access to his or her PHI. Lawyers should not have to do this in most circumstances. An individual patient has a right of access to his or her PHI maintained by the Covered Entity that is maintained in a patient’s designated record set. 45 C.F.R. § 164.524(a)(1). As a Business Associate of a Covered Entity, an attorney probably would not be in possession of the individual patient’s designated record set. See 45 C.F.R. § 164.524(a)(1). Record is defined for purposes of a designated record set as any item or collection of information that includes protected health information and is maintained, collected, used, or disseminated by or for a covered entity. 45 C.F.R. § 164.501. A designated record set as a group of records maintained by or for a covered entity that is the medical and billing records about an individual. 45 C.F.R. § 164.501. A designated record set includes records used in whole or in part by or for the Covered Entity to make decisions about individuals. 45 C.F.R. § 164.501 (2004). B. Access to PHI

The access requirement of the Privacy Rule provides that the Covered Entity must allow individuals to copy and inspect their PHI in designated record sets. 45 C.F.R. § 164.524(c)(1). If the Covered Entity maintains the same PHI in more than one designated record set or at more than one location, the Covered Entity need only produce the PHI once in response to a request for access. Id. Consequently, a Covered Entity’s lawyer should not have to

produce or allow anyone to inspect PHI it obtains from a Covered Entity since the Covered Entity’s custodian of billing and medical records would probably maintain the originals of these records. Also, the records maintained by the Covered Entity would be the records the Covered Entity uses to make decisions about individual patients. See 45 C.F.R. § 164.501; Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82461, 82554 (2000)(“. . . individuals have a right of access to any protected health information that is used, in whole or in part, to make decisions about individuals. This information includes, for example, information used to make health care decisions or information used to determine whether an insurance claim will be paid.”). PHI in the files of providers’ attorneys would not fit within this definition of designated record set. C. Attorney Work Product Protected

The Privacy Rule incorporates a work product privilege. There are exceptions to the individuals’ right to access his or her designated record set to include exceptions for information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. 45 C.F.R. § 164.524(a)(1)(ii). The Office of the Secretary of the Department of Health and Human Services says in the interpretive guidelines accompanying the Privacy Rule that: “Under this exception, the covered entity may deny access to any information that relates specifically to legal preparations but may not deny access to the individual's underlying health information. We do not intend to require Covered Entities to provide access to documents protected by attorney work-product privilege nor do we intend to alter rules of discovery.” Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82461, 82555 (2000). This commentary indicates that the Secretary does not want to alter discovery rules with respect to the attorney work product privilege. D. Right to Amend PHI

An individual has a right to request that a Covered Entity amend PHI or a record of an individual in the individual’s designated record set.. 45 C.F.R. § 164.526(a)(1). The Privacy Rule requires that the Covered Entity contractually obligate its attorney per the provider’s contract with its lawyer to make available PHI for amendment and incorporate any amendments to PHI in accordance with the rule governing amendments. 45 C.F.R. § 164.504(e)(2)(ii)(F) (2004). Though contractually obligated to do so, it is unlikely that the attorney would be involved in amending the designated record set. In most circumstances the designated record set would be in the possession of the Covered Entity and not in the possession of its lawyer. If the Covered Entity amends it’s designated record set, the lawyer should use the amended PHI in judicial and administrative proceedings.


6

The Privacy Rule requires that a Covered Entity make reasonable efforts to inform persons identified by the individual as having received PHI about the individual patient’s amended PHI. 45 C.F.R. § 164.526(c)(3)(i). The Covered Entity is also required to make reasonable efforts to inform persons it knows have the PHI that was amended that may have relied or who could foreseeably rely on such information to the detriment of the individual and provide these individuals with the patient’s amended records. 45 C.F.R. § 164.526(c)(3)(ii). Counsel for a Covered Entity, especially in matters where the Covered Entity is itself a party to a judicial or administrative proceeding, should undertake this obligation on their client’s behalf. Tex. Disciplinary R. Prof’l Conduct 3.03, reprinted in Tex. Gov’t Code Ann., tit. 2, subtit. G app. A (Vernon 1998)(lawyer shall not make a false statement of material fact to a tribunal). E. Retaining Medical Experts

Medical experts have a need to review all or part of individuals’ PHI in the context of peer review proceedings and proceedings involving an aggrieved patient bringing an action against a health care provider. The contract between a Covered Entity and its Business Associate ensure that agents and subcontractors to whom the attorney provides PHI received on behalf of the Covered Entity agree to the same restrictions and conditions that apply to the lawyer for the Covered Entity. 45 C.F.R. § 164.504(e)(2)(ii)(D) (2004), compare Nagel, Litigation after Hipaa’s Patient Privacy Regulations, 15 The Health Lawyer 5, pg. 14 at 17 (American Bar Association Health Law Section Publication), August 2003 (“to the extent an expert can be considered an agent of the business associate lawyer, the business associate lawyer could disclose the PHI to the expert, so long as the expert has agreed with the business associate lawyer to follow the regulations regarding the disclosure of any PHI they view”).

Lawyers retaining independent consults who will see PHI must execute a contract with the consultant incorporating the implementation specifications required by the Privacy Rule. 45 C.F.R. § 164.504(e)(2)(ii)(D) (2004)(an agent including a subcontractor of the Business Associate must “agree[] to the same restrictions and conditions that apply to the business associate with respect to such information.”). Medical experts who are also Covered Entities may be subject to administrative sanctions for violating the Privacy Rule even though they have never treated the patient. The OCR has said in its guidance document that when a Covered Entity is also a Business Associate, the medical expert Covered Entity is not compliant with the Privacy Rule if it violates the satisfactory assurances it provided as a Business Associate of another Covered Entity. OCR Guidance 46. Consequently, if a Medical Expert that also is a Covered Entity works as a subcontractor for a Business Associate and violates the expert’s assurances to the Business

Associate, the expert may likewise be non-compliant and subject to regulatory sanctions. Before sending PHI to or discussing PHI with a consultant, the attorney should obtain an appropriate written guarantee from a consultant that conforms to the Hipaa Privacy Rule. XII. PREEMPTION OF STATE LAW A. Privacy Rule Preemption Provision

The Privacy Rule preempts State law that is contrary to the Privacy Rule. 45 C.F.R. § 160.201; 42 U.S.C.A. § 1320d-7 (West 2003). The Act provides that a regulation promulgated by the Secretary shall not “supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or implementation specifications imposed under the regulation.” Public Law No. 104-191, 110 Stat. 2033 (1996)(located in Historical and Statutory Notes to 42 U.S.C.A. § 1320d-2 (2003), 42 U.S.C.A. § 1320d-7(a)(2)(A) (West 2003). These provisions are incorporated in the Privacy Rule. See 45 C.F.R. § 160.203.

The Privacy Rule defines contrary to State law to mean a Covered Entity would find it impossible to comply with both the State and federal requirements. 45 C.F.R. § 160.202. Contrary is also defined as a provision of State law that stands as an obstacle to the accomplishment and execution of the full purposes and objectives of Part C of Title XI of the Act. Id.; 42 U.S.C.A. §§ 1320d-1320d-8 (West 2003 & Supp. 2004). The Privacy Rule defines more stringent as requiring a comparison of a provision of State law and a standard, requirement, or implementation specification adopted in accordance with 45 C.F.R. Part 164. See 45 C.F.R. §§ 164.102-164.534 (2004). Note that 45 C.F.R. § 164.106 requires that Covered Entities comply with parts 160 and 162 when complying with Part 160.

The State law is more stringent with respect to a use or disclosure if the use or disclosure would otherwise be permitted under the Privacy Rule. 45 C.F.R. § 160.202. The exceptions to the more stringent requirement are when the Secretary for compliance purposes requires the disclosure or if the disclosure is to the individual who is the subject of the individually identifiable health information. Id.

More stringent applies to State law giving the patient greater rights of access, amendment, rights and remedies, and more information about the use, or disclosure to an individual concerning that individual’s individually identifiable health information. Id. More stringent also applies where State laws give greater rights to an accounting or reporting or narrows the scope or duration of the use of disclosure of PHI in situations where legal permission from an individual is required to access his or her PHI. Id. With respect to any other matter, more stringent is defined as giving greater privacy protections to an individual’s individually identifiable health information. Id. Relating to the privacy of individually identifiable health


7

information is defined as a State law that has the specific purpose of protecting the privacy of health information or affects the privacy of health information in a direct, clear, and substantial way. Id. State law is defined in the Privacy Rule as a constitution, statute, regulation, rule, common law, or other State action having the force and effect of law. Id. B. Preemption Analysis by the Texas Attorney

General 1. Background

The Texas Legislature required that the Attorney General of the State of Texas file a report no later than Nov. 1, 2004, identifying the laws the Attorney General believes are preempted by the Health Insurance Portability and Accountability Act and privacy standards. Tex. Health & Safety Code Ann. § 181.253(a) (Vernon Supp. 2005). The legislation allowed the Attorney General to appoint a task force and required that the Attorney General analyze State law to determine which provisions of State law related to privacy of individually identifiable health information are preempted by the Act and the Privacy Rule. Tex. Health & Safety Code Ann. §§ 181.251-252 (Vernon Supp. 2005).

The Attorney General’s Preemption Analysis is a 465-page document that measures State law against the Hipaa Privacy Rule. Report of the Office of the Attorney General of Texas, Preemption Analysis of Texas Laws Relating to the Privacy of Health Information & Health Insurance Portability & Accountability Act (HIPAA) 6 (Nov. 1, 2004)(on file with the Texas Attorney General’s Office)(hereafter referred to as “Atty Gen. Preemption Analysis”). The Attorney General found that Hipaa did not preempt most State laws because it was not impossible for a Covered Entity to comply with both the Privacy Rule and State law. Atty Gen. Preemption Analysis 11. 2. Medical Peer Review Committee and Medical

Committee Privileges The Attorney General did address whether Hipaa

preempted the peer review committee privileges found in Texas law. The Attorney General’s analysis of peer review committee records did not decide whether a peer review committee is a Covered Entity when the task force analyzed the Privacy Rule’s effect on peer review committees. Since a peer review committee within a hospital might consider itself a Covered Entity, the Attorney General assumed for purposes of the preemption analysis looking at the preemptive effect of the Privacy Rule on the confidentiality of peer review records that Hipaa would apply to peer review committees. Atty Gen. Preemption Analysis 16. The Attorney General made legislative recommendations for changing certain State laws that the task force determined were preempted or where compliance with both State law and the Privacy Rule would

be facilitated by clarification of the State law. Atty Gen. Preemption Analysis 18.

No recommendations were suggested for modifying the medical peer review committee protections contained within the Texas Occupations Code. See Atty Gen. Preemption Analysis 18-20. See eg., Tex. Occ. Code Ann. §' 160.001-160.014, 303.001-303.010, 554.001-554.013 (Vernon 2004). Nor did the Attorney General make any recommendations or suggest clarifying the medical committee privileges contained in the Texas Health and Safety Code. See Atty Gen. Preemption Analysis 18-20, See eg., Tex. Health & Safety Code Ann. § 161.031-161.033 (Vernon 2001 & Supp. 2005), Tex. Health & Safety Code Ann. § 773.095 (Vernon 2003). This would indicate that the peer review privileges associated with peer review committees established by the Occupations Code and organized committees of hospitals established by the Health and Safety Code remain privileged. This interpretation is consistent with the guidance provided by the Office of the Secretary of the Department of Health and Human Services.

In its guidance accompanying the Privacy Rule the Department notes that PHI used for quality control or peer review analysis not in a designated record set need not be produced. Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82461, 82554 (2000)(“. . . individuals have a right of access to any protected health information that is used, in whole or in part, to make decisions about individuals. This information includes, for example, information used to make health care decisions or information used to determine whether an insurance claim will be paid. Covered entities often incorporate the same protected health information into a variety of different data systems, not all of which will be utilized to make decisions about individuals. For example, information systems that are used for quality control or peer review analyses may not be used to make decisions about individuals. In that case, the information systems would not fall within the definition of designated record set. We do not require entities to grant an individual access to protected health information maintained in these types of information systems.”).

C. Court Cases Discussing Privacy Rule Preemption 1. Federal Question Cases and More Stringent State

Laws In Northwest Mem. Hosp. v. Ashcroft, 362 F.3d 923

(7th Cir. 2004)(opinion authored by Circuit Judge Posner), a hospital challenged a Department of Justice (DOJ) subpoena seeking medical records of patients who had late-term abortions for use in litigation to defend the constitutionality of the Partial-Birth Abortion Ban Act. Northwest Mem. Hosp., 362 F.3d at 924. The government sought these records to impeach an opposing physician expert during trial. The government was appealing a district court order quashing a subpoena



8

commanding that the hospital produce the medical records of patients on whom this doctor performed late-term abortions. Id. The Seventh Circuit noted that the Privacy Rule defines a State law standard as more stringent “if it ‘provides greater privacy protections for the individual who is the subject of the individually identifiable health information’ than the standard in the regulation.’” Id.

The district court issued an order authorizing but not requiring that the hospital provide the records to the government after redacting identifying information involving the patient. All parties agreed that this order qualified under the Privacy Rule’s procedures for obtaining PHI from a Covered Entity in judicial and administrative proceedings. Northwest Mem. Hosp., 362 F.3d at 925 (referencing 45 C.F.R. 164.512(e)). However, the district Court determined that Illinois law set a “more stringent” standard for disclosure than the Privacy Rule and determined that the Hipaa Privacy Rule, by incorporating the more stringent standard, thereby trumped the privacy rule and the district court quashed the subpoena. Id.

The Seventh Circuit decided that Hipaa does not create a federal patient medical records privilege. Northwest Mem. Hosp., 362 F.3d at 926. The court determined the Hipaa standard for disclosure of medical information in judicial or administrative proceedings should be understood as a procedural provision for obtaining authority to use medical records in litigation. Northwest Mem. Hosp., 362 F.3d at 925-26. Because this was a federal question case the court noted that the admissibility of the medical records in evidence would be governed by federal and not by State law and chose not to enforce State privilege law. Northwest Mem. Hosp., 362 F.3d at 926. The court said enforcement of federal law could be hamstrung if state-law privileges regarding medical records were applicable to all federal cases. The court says “we think it improbable that HHS intended to open such a can of worms when it set forth a procedure for disclosure of medical records in litigation—intended, that is, to be regulating, actually or potentially (depending on other statutory provisions regulating subpoenas), the litigation of federal employment discrimination cases, social security disability cases, ERISA cases, Medicare and Medicaid fraud cases, Food and Drug Administration cases, and the numerous other classes of federal case[s] in which medical records whether of the parties or of nonparties would not be privileged under federal evidence law.” Northwest Mem. Hosp., 362 F.3d at 925.

In federal question cases involving discovery of PHI in court proceedings more stringent State privacy laws do not apply to third parties seeking PHI from Covered Entities. The court determined the Privacy Rule does not create a new privilege associated with medical records and viewed the Privacy Rule as a procedural device only. The DOJ is not a Covered Entity. The court did not identify the DOJ as a Business Associate in the opinion. However, the court

did require that the DOJ comply with the requirements of Privacy Rule when it sought information from the hospital. 2. Privacy Rule Governs Ex Parte Contacts With

Treating Physicians A number of courts have interpreted the Privacy Rule

as prohibiting ex parte communications between defense attorneys who do not represent an injured plaintiff and physicians providing treatment to the injured plaintiff. The physicians were also Covered Entities subject to the requirements of the Privacy Rule. These cases discuss the Privacy Rule requirements for using PHI in judicial and administrative proceedings where the involved patient was a party to the litigation. Courts have sanctioned lawyers who have violated the Privacy Rule.

A recent case from New York is Keshecki v. St Vincent’s Medical Center, 785 N.Y.S.2d 300 (2004). The Keshecki opinion was a shoulder dystocia medical malpractice case. Keshecki, 785 N.Y.S.2d at 301. Defense counsel discussed the case with two of the plaintiff’s subsequent treating physicians. The court noted that under New York law prior to the enactment of Hipaa no explicit authorization was required in order to interview the plaintiff’s doctors and merely bringing an action placed the plaintiff’s medical condition in issue and waived the statutory physician-patient privilege, Keshecki, 785 N.Y.S.2d at 302. This is consistent with intermediate appellate decisions in Texas. See James v. Kloos, 75 S.W.3d 153, 160-61 (Tex. App.--Fort Worth 2002, no pet.)(no showing of harm warranting reversal following ex parte meeting between defense counsel and treating physician in malpractice case); Durst v. Hill Country Mem. Hosp., 70 S.W.3d 233, 237 (Tex. App.—San Antonio 2001, no pet.)(no specific rule prohibits ex parte communications between a plaintiff’s treating physician and defense counsel); Rios v. Tex. Dept. of Mental Health and Mental Retardation, 58 S.W.3d 167, 169 (Tex. App.—San Antonio 2001, no pet.)(physician patient privilege did not apply because plaintiff’s physical condition relevant to claim for damages).

The New York court noted that the Hipaa Privacy Rule prevents PHI from being disclosed by Covered Entities to others without written consent or the opportunity to formally object and determined this federal law preempted the less stringent New York law which allowed for ex parte interviews. Keshecki, 785 N.Y.S.2d at 303-04. The court stated the law of New York provided no significant protection against a treating physician’s oral communications once defense counsel filed a requisite statutory notice. Therefore the Hipaa statute preempted the New York statute. Id. The court did approve of a process whereby defense counsel desiring to interview a plaintiff-patient’s treating health care providers could obtain a Hipaa compliant authorization and still benefit from the New York law allowing for ex parte contacts with treating physicians. Id. Even though the court refers to the Privacy Rule as

http://www.TexasBarCLE.com/CLE/PMCasemaker.asp?table=TX_caselaw&volume=75&edition=S.W.3d&page=153&id=45454_01





9

preempting New York State law, in effect what the court was requiring of defense counsel was that they comply with the Privacy Rule and less stringent State laws. Counsel should note the court sanctioned the defendant by precluding the defendant from introducing the testimony of the two physicians interviewed by defense counsel in violation of the Privacy Rule.

A federal district court in California also weighed in on this issue discussing the California physician patient privilege in light of the Privacy Rule. Crenshaw v. Mony Life Ins. Co., 318 F.Supp.2d 1015 (S.D. Calif. 2004). In Crenshaw, a diversity case applying State law privileges, the plaintiff sued his disability insurer for denying plaintiff’s disability claim. Crenshaw, 318 F.Supp.2d at 1018. During his treatment plaintiff Crenshaw saw a Dr. Harris on one occasion some years’ before filing suit. The evidence before the Court was that an associate attorney employed by defense counsel independently and without apparently knowing Dr. Harris had seen the plaintiff retained Dr. Harris as an independent expert. Dr. Harris reportedly told the associate he did not recall ever seeing the plaintiff. Thereafter, the lead defense attorney saw a chart note indicating Dr. Harris had met and examined the plaintiff. Crenshaw, 318 F.Supp.2d at 1019. The district court determined that California law did not prohibit the ex parte contact with Dr. Harris by defense counsel under the circumstances of this case. Crenshaw, 318 F.Supp.2d at 1018. However, the district court determined the principle allowing for a waiver of the confidentiality of the physician patient privilege under California law conflicted with the purposes and procedures of the Hipaa Privacy Rule. Crenshaw, 318 F.Supp.2d at 1028-29.

In its opinion the district court notes that the Privacy Rule allowed for disclosure of PHI in the course of administrative or judicial proceedings and places certain requirements on the medical professional and the party seeking medical information. Crenshaw, 318 F.Supp.2d 1029. The court held that defense counsel’s ex parte communication with Dr. Harris did not fall within the Privacy Rule’s requirement that confidential medical information be disclosed pursuant to a court order, subpoena, or discovery request. Crenshaw, 318 F.Supp.2d 1029 (citing 45 C.F.R. §160.103 (2004), 45 C.F.R. §164.512(e)(1)(i), and 45 C.F.R. §164.512(e)(1)(ii)(A), (B)). Consequently, the court determined the defense attorney in that case violated the Privacy Rule by not complying with the implementation provision governing disclosures for judicial and administrative proceedings. Since the court determined the violation of the Privacy Rule was not egregious, but defense counsel “violated HIPAA by contacting Dr. Harris ex parte in the absence of a qualified protective order and without a formal discovery request,” the court sanctioned the defendant. Crenshaw, 318 F.Supp.2d 1030-31. The sanctions included requiring that the defendant pay Dr. Harris’s expert fees for the deposition of Dr. Harris, court reporter’s fees, attorneys

fees for taking Dr. Harris’s deposition, and limiting further ex parte communications between Dr. Harris and defense counsel. Id. Though the plaintiff’s counsel sought to disqualifying defense counsel, and disqualify Dr. Harris as an expert witness, the court determined that disqualifying defense counsel and disqualify Dr. Harris as an expert was not warranted in this situation and imposed lesser sanctions. Crenshaw, 318 F.Supp.2d at 1030.

Another case involving ex parte communications with Covered Entities is from a federal district court in Maryland. Law v. Zuckerman, M.D., 307 F.Supp.2d 705, 707 (D. Md 2004). This is a Memorandum Opinion authored by a Magistrate Judge. This was a malpractice case brought by a patient against her surgeon. Law, 307 F.Supp.2d at 707. During the course of her trial the plaintiff made an oral motion to preclude defense counsel from conducting ex parte interviews of her treating physician. The treating physician was defense counsel’s first fact witness and was called to explain plaintiff’s alleged damages. The court determined that applicable Maryland law allowed for ex parte communications between a lawyer and the treating physician of an adverse party who placed her medical condition in issue. Law, 307 F.Supp.2d at 708. It then concluded that ex parte contacts with the defendant and the treating physician are governed by the Privacy Rule and not by State law. Id. The court said that Hipaa does not prohibit all contact between defense counsel and a physician, it just regulates the methods by which PHI is disclosed by the Covered Entity to include “oral” medical records. Id.

This court notes that the Hipaa regulations permit discovery of PHI so long as a court order or agreement of the parties prohibits disclosure of the information outside the litigation and requires the return of the information once the proceedings are concluded. Id. This court also opined that trial or deposition subpoenas are treated differently than an order of the court. Quoting from 45 C.F.R. § 164.512(e)(1)(ii)(A) and (B) the court says when medical information is to be released in response to a subpoena or discovery request, the health care provider must receive satisfactory assurance that there have been (1) good faith attempts to notify the subject of the PHI in writing of the request and that the subject of the request has been given the opportunity to object; or (2) reasonable efforts have been made by the requesting party to obtain a qualified protective order. Id.

In determining that the Hipaa Privacy Rule preempted contrary Maryland State law, the court cited unpublished decisions from a federal district court sitting in Louisiana and an unpublished decision from the New Jersey Superior Court which likewise held that the Privacy Rule preempted contrary State laws. Law, 307 F.Supp.2d at 710. This court goes on to say that the enactment of the Hipaa “statute has radically changed the landscape of how litigators can conduct informal discovery in cases involving medical treatment.” Law, 307 F.Supp.2d at 710. The court










10

noted that informal discovery of PHI is prohibited by the Privacy Rule unless the patient consents. See Id. The court said that “[c]ounsel should now be far more cautious in their contacts with medical fact witnesses when compared to other fact witnesses to ensure that they do not run afoul of HIPAA’s regulatory scheme. Wise counsel must now treat medical witnesses similar to the high ranking corporate employee of an adverse party.” Law, 307 F.Supp.2d at 711, citing Camden v. Maryland, 910 F.Supp. 1115 (D. Md. 1996).

The court outlines the steps required to obtain PHI during a judicial proceeding. One way is though a court order limited to the PHI expressly authorized by such order. In absence of a court order PHI can be released by the Covered Entity receiving satisfactory assurances from the requesting party reasonable efforts (as defined by the rule) have been undertaken to give the subject of the PHI notice of the request. Or, the Covered Entity receives satisfactory assurance (as defined in the rule) from the party seeking the information that reasonable efforts have been made to secure a qualified protective order (meeting the requirements of the Privacy Rule). Law, 307 F.Supp.2d. at 711; see also 45 C.F.R. §§ 164.512(e)(1)(i), 164.512(e)(1)(ii)(A), (B). The court addresses the required by law exception contained in the disclosures allowed for in judicial or administrative proceedings and notes the Covered Entity must meet the requirements of this section of the Privacy Rule governing disclosures for judicial and administrative proceedings before a Covered Entity is required by law to disclose PHI. The court also determined that disclosures governed by the Privacy Rule for judicial and administrative proceedings apply to medical information disclosed during discovery. Law, 307 F.Supp.2d. at 712.

Although the courts conclude the Privacy Rule preempts less stringent State law allowing for ex parte contact with a patient’s treating physician it is this author’s opinion that the Privacy Rule does not preempt State law on this issue. The Privacy Rule simply mandates that these less stringent forms of disclosure of PHI may occur so long as the Covered Entity complies with State law and the Privacy Rule. Preemption would only occur if it were physically impossible for a Covered Entity to comply with both the State law and the requirements of the Privacy Rule. 45 C.F.R. § 160.202; see also Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82461, 82471 (2000)(Office of Secretary of Department of Health and Human Services says the Department of Health and Human Services has authority to regulate those who create and disclose health information, but not many key stakeholders who receive that health information from a covered entity.”).

XIII. DISCLOSURES OF PHI IN JUDICIAL AND ADMINISTRATIVE PROCEEDINGS

A. General Requirements Section 164.512(e) of the Privacy Rule governs the

disclosure of PHI in Judicial and Administrative proceedings. This section says a Covered Entity may use or disclose PHI without an individual’s authorization or the opportunity for the individual to agree or object in situations covered by § 164.512 subject to the applic able requirements of this section. 45 C.F.R. § 164.512. Paragraph (a) of § 164.512 defines the standard for uses and disclosures required by law. 45 C.F.R. § 164.512(a). Covered Entity may use or disclose PHI to the extent such use or disclosure is required by law and is limited to the relevant requirements of such law. 45 C.F.R. § 164.512(a)(1). Required by law is defined as a mandate contained in law that compels an entity to make a use or disclosure of PHI that is enforceable in a court of law. 45 C.F.R. § 164.501. The definition gives examples of required by law disclosures as including, but are not limited to, court orders, court-ordered warrants, subpoenas or summons issued by a court, grand jury, governmental inspector, or an administrative body authorized to require the production of information. Id. This definition does not include discovery requests as a category of disclosures required by law. Nor does it include subpoenas issued by an attorney. However, the definition would seem to include a response to a discovery request if the Covered Entity were a party since the Covered Entity would be required to respond to discovery and the party seeking discovery could compel the Covered Entity to respond.

Paragraph (b) of section 164.512 states that the Covered Entity must meet the requirements of paragraphs (c), (e), and (f) for uses and disclosures required by law. 45 C.F.R. § 164.512(a)(2). Paragraph (c) involves disclosures about victims of abuse, neglect, or domestic violence, paragraph (e) involves disclosures for judicial and administrative proceedings, and paragraph (f) involves disclosures to law enforcement personnel. The standard for use and disclosure of PHI in court and administrative proceedings requires that Covered Entities comply with paragraph (e) in addition to any other authorized disclosure required by law. In this author’s view, the Privacy Rule does not supplant the way in which PHI is currently used in judicial and administrative proceedings. The Privacy Rule only imposes additional requirements on Covered Entities in judicial and administrative proceedings. Section 164.512 also addresses uses and disclosures for public health activities in paragraph (b), health oversight activities in paragraph (d), about decedents in paragraph (g), for eye or tissue donation purposes in paragraph (h), research purposes in paragraph (i), to avert a serious threat to health or safety in paragraph (j), and for specialized government functions in paragraph (k). 45 C.F.R. § 164.512. The Privacy Rule provides that paragraph (e) of § 164.512 governing uses and disclosures of PHI in judicial and

http://www.TexasBarCLE.com/CLE/PMCasemaker.asp?table=US_distctopinions&volume=910&edition=F.Supp.&page=1115&id=45454_01

http://www.TexasBarCLE.com/CLE/PMCasemaker.asp?table=US_distctopinions&volume=910&edition=F.Supp.&page=1115&id=45454_01


11

administrative proceedings does not supersede other provisions of § 164.512 that otherwise permit or restrict uses or disclosure of PHI. 45 C.F.R. § 164.512. So even if PHI in a dispute is subject to a paragraph (e) judicial or administrative proceeding, uses and disclosures under other paragraphs of § 164.512 may be permitted. See 45 C.F.R. § 164.512(e)(2) (2004).

Subsection (e) provides that a Covered Entity may disclose PHI in the course of any judicial or administrative proceeding in response to court order, or and order from an administrative tribunal, provided the Covered Entity limits its disclosure to the PHI expressly authorized by the order. 45 C.F.R. § 164.512(e)(1) (2004). This method of allowing third parties to obtain PHI from a covered entity is the easiest way for a Covered Entity to release PHI. However, alternative means exist whereby third parties can obtain PHI for court proceedings and administrative actions without a court order or without an order from an administrative tribunal.

B. Notification Provision for Obtaining PHI in Court

and Administrative Proceedings A Covered Entity may disclose PHI in response to a

subpoena, discovery request, or other lawful process not accompanied by a court order or appropriate administrative order through a notification provision contained in subsection (e). The notification provision requires that the Covered Entity receive satisfactory assurance from the party seeking the PHI that reasonable efforts have been made by the party that the individual subject to the PHI request has been given notice of the request. 45. C.F.R. § 164.512(e)(1)(ii)(A). Satisfactory assurance from a party seeking PHI is defined as the Covered Entity receiving from the party seeking information a written statement and accompanying documentation demonstrating that the party requesting the PHI made a good faith attempt to provide written notice to the individual (or if the individual’s location is unknown, to mail notice to the individual’s last known address). 45. C.F.R. § 164.512(e)(1)(iii)(A). The notice by the requesting party to the individual must have included sufficient information about the litigation or proceeding in which the PHI is requested to permit the individual to raise an objection to the court or administrative tribunal. 45. C.F.R. § 164.512(e)(1)(iii)(B). And, the time for the individual to raise objections to the court or administrative tribunal has elapsed, and either no objections were filed or all objections filed by the individual have been resolved by the tribunal and the disclosures sought are consistent with such resolution. 45. C.F.R. § 164.512(e)(1)(iii)(C)(1), (2). C. Qualified Protective Order Means of Obtaining

PHI in Court or Administrative Proceedings Another way to disclose PHI in the course of an

administrative or judicial proceeding in response to a subpoena, discovery request, or other lawful process that is

not accompanied by an order of a court or appropriate administrative order is by requesting a qualified protective order. Under the qualified protective order provision of subsection (e) the Covered Entity must receive satisfactory assurance from the requesting party seeking the PHI that the reasonable efforts have been made to secure a qualified protective order. 45. C.F.R. § 164.512(e)(1)(ii)(B). Satisfactory assurance for purposes of the qualified protective order means of disclosure requires a written statement and accompanying documentation demonstrating that the parties to the dispute giving rise to the request have agreed to a qualified protective order and have presented it to the court or administrative tribunal having jurisdiction over the dispute or the party seeking the PHI has requested a qualified protective order from the court or administrative tribunal. 45. C.F.R. § 164.512(e)(1)(iv)(A), (B). A qualified protective order for the requested PHI is defined as a court order, appropriate administrative order, or a stipulation by the parties to the litigation or administrative proceeding, 45. C.F.R. § 164.512(e)(1)(v), that: (1) prohibits the parties from using or disclosing the PHI for any purpose other than the litigation or proceeding for which the information was requested (45 C.F.R. § 164.512(e)(1)(v)(A)); and (2) requires the return to the Covered Entity or the destruction of the PHI (including all copies made) at the end of the litigation or proceeding. 45 C.F.R. § 164.512(e)(1)(v)(B). XIV. NO PRIVATE RIGHT OF ACTION FOR HIPAA

VIOLATIONS A. Case Law

Does the Hipaa Privacy Rule create a private right of actions for damages? At least one court has answered this question in the negative. Univ. of Colo. Hosp. Auth. v. Denver Publishing Co., 340 F.Supp.2d 1142, 1145 (D. Colo. 2004). In Univ. of Colo. Hosp. Auth. v. Denver Publishing Co., the plaintiff, University Hospital filed suit for injunctive relief to prevent the Newspaper from using any information contained in a report prepared as part of the hospital’s peer review proceeding. Univ. of Colo. Hosp. Auth., 340 F.Supp.2d 1142. This report was obtained from an unknown source. The hospital alleged the newspaper’s use of the report violated Hipaa and the newspaper removed the case to federal district court. Id. The hospital alleged that the newspaper specifically violated 42 U.S.C. § 1320d-6, a criminal statute prohibiting an individual from knowingly obtaining or disclosing individually identifiable health information. Univ. of Colo. Hosp. Auth., 340 F.Supp.2d 1144. The court noted that nothing in the Act contained any language conferring any privacy rights upon a specific class of individuals. Nor does the act identify any specific class of persons as intended beneficiaries of the Act. Univ. of Colo. Hosp. Auth., 340 F.Supp.2d 1144-45. The Court noted that 42 U.S.C. § 1320d-6 focused on regulating persons who might have access to individuals’ health information and said that






12

where statutes provide for a discernable enforcement mechanism, courts should not imply private rights of action. Univ. of Colo. Hosp. Auth., 340 F.Supp.2d 1144. B. Texas’ Medical Records Privacy Statute – No

Private Right of Action Allowed The Texas version of the Hipaa privacy protections

which primarily apply to marketing was enacted by the 77th Texas Legislature, and is patterned after the Health Insurance Portability and Accountability Act of 1996, and became effective September 1, 2002. Medical Records Privacy Act, 77th Leg., R.S., ch. 1511, § 1, 2001 Tex. Gen. Laws 5080. The introduced version of the Texas Act, Senate Bill 11, contained § 181.252 which would have allowed an individual patient to obtain injunctive relief and recover liquidated and punitive damages for a violation of the State medical records privacy statute. Tex. S.B. 11, 77th Leg., R.S. 2001 (introduced version ). This was removed from the original legislation. The enrolled version of Senate Bill 11 removed § 181.252 from the Texas Act and replaced it with § 181.204. Section 181.204 stated the enactment of the Medical Records Privacy Statute does not affect any right of a person under other law to bring a cause of action or otherwise seek relief for conduct violating the statute. Medical Records Privacy Act, 77th Leg., R.S., ch. 1511, § 1, 2001 Tex. Gen. Laws 5080, 5085. In the original Texas Act the legislature contemplated providing a private right of action for aggrieved patients. Vinson & Elkins Health Policy Group, The 77th Texas Legislature—What a Difference a Biennium Makes!, 64 Tex. B.J. 770, 770-01 (2001)(“individuals may bring a cause of action under other laws for violations of the provisions under SB 11”). Section 181.204 allowing for the availability of other remedies however, was repealed in 2003. Medical Records Privacy Act, 78th Leg., R.S., ch. 924, § 1, 2003 Tex. Gen. Laws 2757, 2761; see also Tex. Health & Safety Code Ann. § 181.204 (Vernon Supp. 2005)(historical and statutory notes concerning repeal). This leads to the inevitable conclusion that the Texas Legislature chose to do away with any State law cause of action for State Privacy Rule violations. XV. TEX. CIV. & PRAC. CODE § 74.052

AUTHORIZATIONS Medical malpractice plaintiffs are required to provide a

medical authorization with notice of a health care liability claim. Tex. Civ. Prac. & Rem. Code § 74.052(a). The statute sets out the required form of the authorization and says the medical authorization required by § 74.052 shall be construed in accordance with “`Standards for Privacy of Individually Identifiable Health Information’ (45 C.F.R. Parts 160 and 164)” Tex. Civ. Prac. & Rem. Code § 74.052(a). Tex. Civ. Prac. & Rem. Code § 74.052(c). The Privacy Rule contains an authorization requirement found in § 164.508(c) of the Privacy Rule. These core elements are found in the Authorization contained in the authorization

form found in Chapter 74. It should be noted that the Privacy Rule authorization would not supersede requirements imposed by more stringent State laws. Also, an authorization for PHI can not be combined with an authorization for psychotherapy notes. 45 C.F.R. § 164.508(a)(2), (b)(3)(iii). XVI. CONCLUSION

The Hipaa Privacy Rule is a comprehensive regulation that sets a federal floor on how Covered Entities may use and disclose PHI. One federal circuit court of appeals had determined that the Privacy Rule does not create a federal patient medical records privilege. Many courts have broadly interpreted the Privacy Rule to apply to third party litigants seeking PHI. In fact, some of these courts have sanctioned parties whose lawyers engaged in ex part contacts with a plaintiff’s treating physicians. Arguably, the Privacy Rule by its own terms applies only to Covered Entities. Therefore, third parties seeking PHI may be able to argue that the Privacy Rule does not apply to lawyers who do not represent Covered Entities. However, courts have uniformly enforced the dictates of the Privacy Rule when dealing with PHI in court proceedings. It should be noted that the Privacy Rule does not contain a waiver provision. Attorneys representing Covered Entities should be mindful of this and ensure they meet the dictates of the Privacy Rule in court and administrative proceedings.


Documents

THE HIPAA PRIVACY RULE – AN OVERVIEW FOR COUNSEL · THE HIPAA PRIVACY RULE – AN OVERVIEW FOR COUNSEL WILL HUGHES, Harlingen Adams & Graham, L.L.P. State Bar of Texas 12TH ANNUAL