HIPAA Information
HIPAA Affiliated Covered Entity and Hybrid Entity Health Care Component Designations
Pursuant to the Health Insurance Portability and Accountability Act of 1996’s (HIPAA) Standards for Privacy of Individually Identifiable Health Information (“Privacy Rule”), 45 C.F.R. § 164.504, the Texas A&M University System designates itself and its component institutions as an affiliated covered entity for the purpose of administering the group health plans known as the A&M Care Plans.
The system also designates itself as a hybrid entity because it performs both covered and non-covered functions. The system designates the following activities as “health care components” under the Privacy Rule: Prairie View A&M University’s Owens-Franklin Health Center; Texas A&M University’s Emergency Medical Services; Texas A&M University System Health Science Center’s Baylor College of Dentistry, Coastal Bend Health Education Center, and College of Medicine’s Family Practice Center; and West Texas A&M University’s Health Partners Clinic.
This document shall be maintained as required by 45 C.F.R. § 164.530(j) in a written or electronic form for six (6) years from the date of its creation, or the date when it was in effect, whichever is later.
Subpoenas and HIPAA
For information about subpoenas in general, see our Subpoenas page.
I just received a subpoena for information in an employee's file. Some of the information is medical records! Will I be in violation of HIPAA if I turn over medical records?
HIPAA requires "covered entities" to protect certain categories of information that qualify as "protected health information" under its provisions. The HIPAA regulations state that individually identifiable health information in employment records held by a covered entity in its role as an employer is not "protected health information." (45 C.F.R. §164.501). The HHS explains it this way:
[M]edical information needed for an employer to carry out its obligations under the Family Medical Leave Act (FMLA), the Americans with Disabilities Act (ADA), and similar laws, as well as the files or records related to occupational injury, disability insurance eligibility, sick leave requests and justifications, drug screening results, workplace medical surveillance, and fitness-for-duty tests of employees, may be part of the employment records maintained by the covered entity in its role as an employer. 67 Fed. Reg. 53, 192 (Aug. 14, 2002).
This type of medical information is a necessary part of the employer's official function, and the law permits employers to collect and maintain it. It is not HIPAA-protected, BUT is still subject to state laws on privacy! It should be treated as confidential information. A properly issued subpoena is an appropriate legal way of accessing confidential information.
Oops! My mistake. I have learned that the medical records are not employment records held by my System component in its role as an employer. Now what?
You are permitted by HIPAA to disclose this type of information in response to a subpoena if you receive "satisfactory assurance" from the party who is using the subpoena to get the information that reasonable efforts have been made to ensure that the person whose information is being sought has been given notice of the request, or that he or she has tried to get a protective order but it was denied. "Satisfactory assurance" can be documentation demonstrating that the party requesting such information has made a good faith attempt to provide written notice to the individual; that the notice included sufficient information about the litigation or proceeding in which the protected health information is requested to permit the individual to raise an objection to the court or administrative tribunal; that the time for the individual to raise an objection to the court or administrative tribunal has elapsed, and that no objections were filed or all objections filed by the individual have been resolved by the court or the administrative tribunal and the disclosures being sought are consistent with such resolution.
How am I supposed to find out all of that?!
If the subpoena is for records of a party in a lawsuit, it is "satisfactory assurance" that the party has received notice and sufficient information about the matter to file an objection. If the certificate of service of the subpoena indicates that more than 20 days have passed, you may presume that sufficient notice and time were allowed. However, you still need to determine if any objections were filed, and the subpoena alone will not usually tell you this. If there is no written notice from the requestor that this requirement has been met, you should contact the company or person who served the subpoena on your office and ask for such notice. Most subpoenas are issued by records management companies and you can usually contact them by phone to request that a letter be provided indicating either that no objections were filed, or that they were but were resolved and the information is now subject to release.
Additional Resources
HHS Office for Civil Rights HIPAA Web
