Satisfactory Assurances for Permitted Uses & Disclosures of PHI
In Part 1 of this series, we explored the release of records when attorneys request them. In this second installment, we dive deeper into scenarios where your clinic may receive requests for medical records without patient authorization. These situations often involve attorneys seeking protected health information (PHI), which is governed by the HIPAA Privacy Rule (45 CFR Part 164). Under this rule, attorneys must provide “satisfactory assurances” to covered entities before disclosing PHI when the patient has not provided a HIPAA-compliant authorization.
So, what exactly are satisfactory assurances, and how do they impact you as a practice owner? For example, if an attorney representing a plaintiff in a medical malpractice case issues a subpoena for a patient’s medical records, how does that attorney meet HIPAA requirements? Let’s break it down.
What Are Satisfactory Assurances?
Satisfactory assurances confirm that the covered entity complies with HIPAA’s permitted uses and disclosures. These assurances typically apply to disclosures made in judicial or administrative proceedings or for law enforcement purposes. Below, we examine both scenarios.
Disclosures for Judicial or Administrative Proceedings
Attorneys frequently request medical records for litigation or administrative hearings. When PHI is requested without patient authorization, the attorney must provide assurances through one of several methods. If a court or administrative order is issued, the attorney must present a written order explicitly authorizing disclosure of specific PHI, and the covered entity must only release the PHI identified in that order.
When no court order exists, attorneys can still provide satisfactory assurances by submitting documentation that demonstrates reasonable efforts to notify the patient. This includes a written statement and supporting documentation confirming that the patient was informed and given a reasonable opportunity to object (timeframes are usually stipulated by state law), along with sufficient details about the legal proceeding to allow the patient to raise objections in court.
Alternatively, attorneys may secure a qualified protective order when a court order is absent. This protective order must limit the use or disclosure of PHI solely to the litigation or proceeding and require that the PHI be returned or destroyed at the conclusion of the case. Covered entities are responsible for verifying these assurances and ensuring that disclosures are limited to PHI relevant to the legal proceeding.
Disclosures for Law Enforcement Purposes
Requests may also come from attorneys acting on behalf of law enforcement or government entities. In these cases, satisfactory assurances depend on the type of request. For administrative requests, the attorney must provide a written request, such as a subpoena or summons, along with a statement confirming that the PHI is relevant and material to a legitimate inquiry, and that de-identified information cannot reasonably be used instead, and that the request is specific and limited in scope.
Other law enforcement contexts may involve requests to identify a suspect or report specific injuries. In these situations, the covered entity must verify the legitimacy and authority of the request, which may include confirming the attorney’s credentials or the requesting agency’s authority.
If the attorney has patient authorization, these assurances are unnecessary. However, when authorization is absent, these provisions apply.
Key Considerations
If a patient objects after notification, PHI cannot be disclosed unless a court resolves the objection or a qualified protective order is in place. Disclosures must always be limited to the minimum necessary PHI to achieve the purpose of the request. Additionally, if the attorney acts as a business associate of the covered entity, such as providing legal services, a Business Associate Agreement (BAA) may be required under 45 CFR § 164.504(e).
Returning to our earlier example: If an attorney issues a subpoena for medical records in a malpractice case, they must provide the subpoena, documentation of patient notification, a proposed qualified protective order, and assurances that records will be used solely for litigation and destroyed afterward. The covered entity then verifies these assurances and releases only the relevant records.
Conclusion
Understanding what constitutes satisfactory assurances is critical to compliance and patient privacy. As a practice owner, you must ensure that any disclosure of PHI without patient authorization meets HIPAA requirements. Always verify the legitimacy of requests, confirm appropriate documentation, and limit disclosures to the minimum necessary. By following these guidelines, you protect your patients’ rights while maintaining compliance in complex legal and law enforcement scenarios.
BCMS Compliance Program: Your Partner in Compliance
At BCMS, we empower outpatient therapy practices with our robust Compliance Program, which features tailored policies and procedures aligned with HIPAA Privacy laws and other federal regulations. Let us assist you with the complexities of record release requests and other HIPAA issues to ensure your practice remains compliant and secure. Contact us today to discover how we can assist you in your compliance journey.
About BCMS
BCMS is a trusted leader in healthcare compliance, delivering enrollment, credentialing, audit, and appeals services, as well as other regulatory solutions, for outpatient therapy providers. BCMS specializes in empowering healthcare providers through our comprehensive Compliance Program, which includes tailored policies and procedures and integrates Federal guidance with robust annual training. Stay informed with our latest insights at bcmscomp.com/blog.
Disclaimer: This blog is for informational purposes only and does not constitute legal advice. Consult an attorney for legal matters or a compliance professional for specific guidance.