Privacy in Discovery: De-identified, Non-party Medical Information

We have been doing a significant amount of work in Privacy in Discovery and wanted to share our recent blog discussing the discovery of de-identified, non-party medical information.

When can litigation discovery include de-identified medical information about non-parties? It depends on the court. Some courts bar it absolutely, even if all personal markers have been removed from the information. Others are more open.

A typical situation in which the parties to litigation might want non-party medical information could include, for instance, a malpractice claim, where the plaintiff seeks records of other patients who underwent the same procedure with the same doctor; or a contract claim alleging that a doctor violated a non-compete agreement and seeking lists of patients treated by the same doctor in violation of the agreement.

In these types of cases, it may be impossible or unfeasible to obtain the non-parties’ consent to disclosure of their medical information (for instance, if there are too many patients’ records to realistically obtain consent from all of them).

The Privacy Rule under the Health Insurance Portability and Accountability Act (HIPAA), which codifies individual privacy rights over health information, provides a de-identification standard. The standard lists various individual markers that must be removed so that the individual cannot be identified. The non-exhaustive list of “identifiers of the individual or of relatives, employers, or household members of the individual” to be removed includes:

(A) Names;
(B) All geographic subdivisions smaller than a State, including street address, city, county, precinct, zip code, and their equivalent geocodes, except for the initial three digits of a zip code if, according to the current publicly available data from the Bureau of the Census:
(1) The geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and
(2) The initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000.
(C) All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older;
(D) Telephone numbers;
(E) Fax numbers;
(F) Electronic mail addresses;
(G) Social security numbers;
(H) Medical record numbers;
(I) Health plan beneficiary numbers;
(J) Account numbers;
(K) Certificate/license numbers;
(L) Vehicle identifiers and serial numbers, including license plate numbers;
(M) Device identifiers and serial numbers;
(N) Web Universal Resource Locators (URLs);
(O) Internet Protocol (IP) address numbers;
(P) Biometric identifiers, including finger and voice prints;
(Q) Full face photographic images and any comparable images; and
(R) Any other unique identifying number, characteristic, or code [subject to a few exceptions] . . . .

45 CFR 164.514(b)(2)(i).

Additionally, the entity covered by HIPAA must have no actual knowledge that the remaining data could be used alone or in combination with other data to identify the individual. If the data is properly de-identified, then HIPAA no longer applies to protect it.

But even if the data passes de-identification standards under HIPAA, it may still run up against state laws that provide higher protection for the privacy of medical records. For instance, in a recent Maine case, state law on physician-patient privilege prevented a medical malpractice plaintiff from obtaining non-party medical records from a defendant hospital, even if all patient-identifying details were removed. Estate of Kennelly v. Mid Coast Hosp., 2020 ME 115, 239 A.3d 604.

In the Maine case, the plaintiff, who claimed that her surgeon cut the wrong bile duct when removing her gall bladder, wanted to obtain records of the surgeon’s other gall bladder surgeries. In rejecting the request, Maine’s highest court noted that HIPAA would not prevent the disclosure, but Maine’s privilege rule would prevent it. The court noted that only a patient may assert physician-patient privilege. However, it is also true that only a patient may waive that privilege. Here, because the non-party patients had not waived the privilege, the court barred disclosure of their records, even if they were de-identified.

Likewise, in a recent Ohio medical malpractice case, a state appellate court held that the exclusion of non-party medical records form discovery is “automatic” and redaction of patient identifiers “cannot cure the violation of the physician-patient privilege.” Tyler Cody Squiric v. Surgical Hosp. at Southwoods, 2020-Ohio-7026 (Ct. App. 7th Dist.). See also Roe v. Planned Parenthood, 2009-Ohio-2973, 912 N.E.2d 61.

Meanwhile, courts in other states have concluded the opposite: that de-identified, non-party medical data is discoverable. According to them, the identifiability of the individual is precisely what makes the information privileged. By their reasoning, if the information is rendered truly anonymous, the physician-patient privilege is dissolved. Wipf v. Altstiel, 2016 SD 97, 888 N.W.2d 790, 794 (holding that “there is no patient once the information is redacted”); Staley v. Jolles, 2010 UT 19, 230 P.3d 1007.

This split among states shows a lack of consensus over which interests are most deserving of protection. Those opting for non-disclosure cite the medical patient’s interest in open communication with her doctor, free from fear of disclosure under any circumstances. Those choosing disclosure of de-identified data often cite the countervailing rights to full and complete discovery and a meaningful opportunity to present one’s case.

The federal standard is generally on the side of allowing limited discovery of de-identified, non-party information with additional assurances of confidentiality from protective order governing the use and disposal of the data. The false claims case of Duffy v. Lawrence Mem’l Hosp., No. 2:14-cv-2256-SAC-TJJ (D. Kan. Mar. 31, 2017) is a good example of this middle approach. In that case, the plaintiff alleged that it needed access to patient records to show that the defendant hospital fraudulently obtained payments from Medicare and Medicaid. The court allowed limited discovery under an agreed protective order, but required de-identification of the data, because the data concerned non-parties whose confidential information the hospital had a legal duty to safeguard.

About Us: LegalResearch.com provides law firms with on-demand legal research and drafting services. If you would like attorney assistance with a specific case, we are ready to help. Please contact us directly at 844-638-6733 or click on https://www.legalresearch.com/litigationresearchandwriting/ to learn more about our services and submit an inquiry.

Lorem Ipsum One

Far far away, behind the word mountains, far from the countries Vokalia and Consonantia, there live the blind texts. Separated they live in Bookmarksgrove right at the coast of the Semantics, a large language ocean. A small river named Duden flows by their place and supplies it with the necessary regelialia.

Lorem Ipsum Two

Far far away, behind the word mountains, far from the countries Vokalia and Consonantia, there live the blind texts. Separated they live in Bookmarksgrove right at the coast of the Semantics, a large language ocean. A small river named Duden flows by their place and supplies it with the necessary regelialia.

Lorem Ipsum Three

Far far away, behind the word mountains, far from the countries Vokalia and Consonantia, there live the blind texts. Separated they live in Bookmarksgrove right at the coast of the Semantics, a large language ocean. A small river named Duden flows by their place and supplies it with the necessary regelialia.