Section Review

The impact of HIPAA on litigation discovery: Lessons from the first cases

Vanessa L. Smith is an associate at Bulkley Richardson and Gelinas in Springfield, where her practice focuses on the representation of health care providers in regulatory, risk management and medical staff matters.
The privacy regulations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)1 took effect on April 14, 2003. In two cases decided since then, courts in other jurisdictions have addressed the impact of HIPAA on litigation discovery issues. In one case, the issue concerned disclosure of the health information of a medical malpractice plaintiff and the other, in the context of an employment discrimination case, involved questions concerning disclosure of the health information of employees who were “similarly situated” to the plaintiff. Such issues generally must be analyzed under both state and federal law. These two cases nevertheless are instructive to Massachusetts practitioners as they attempt to apply HIPAA in litigation proceedings.

Law v. Zuckerman

In Law v. Zuckerman,2 the United States District Court for the District of Maryland (Southern Division) held that where the plaintiff in a medical malpractice action was not provided with prior notice and an opportunity to object, defense counsel’s ex parte communications with her treating physician violated HIPAA.

The plaintiff in Law alleged that surgical treatment she had received from the defendant — laser ablation to remove abnormal cells — caused collateral damage to her cervical tissue and thereby rendered her cervix incompetent. The plaintiff later became pregnant, and her treating physician performed a cervical cerclage to increase her ability to carry a child to term. In the malpractice action, the plaintiff sought to recover damages for costs and injuries associated with the placement of the cerclage.

During discovery, the plaintiff produced copies of her medical records and thereafter the defendant’s counsel met ex parte with the treating physician. At trial, the defendant called the treating physician as a fact witness, for the purpose of proving that the cerclage was elective and that it had not been necessary to remedy damage caused by the alleged negligent care of the defendant. Plaintiff objected to ex parte communications that may have occurred between her treating physician and the defendant’s counsel, arguing that because she had not been notified in advance that the defendant’s counsel would pursue ex parte communications with her treating physician, any such communications violated her rights under HIPAA.

Maryland’s Confidentiality of Medical Records Act (“MCMRA”)3 provides that where a patient has sued a health care provider for malpractice, the provider “shall disclose” patient records without authorization from the patient. The defendant argued that the MCMRA, and not HIPAA, should apply to the disclosures of the patient’s health information because it was more stringent than HIPAA. The court disagreed. The court held that state laws are more stringent than HIPAA where they “afford patients more control over their medical records,” and that the Maryland law, which “sacrifices the patient’s control over their private health information in order to expedite malpractice litigation” failed to satisfy that standard.

Having determined that defense counsel’s ex parte communications violated HIPAA, the court nevertheless concluded that the remedy sought by the plaintiff — precluding counsel from speaking further with the treating physician about the plaintiff’s treatment — was not appropriate under the circumstances. The court noted that HIPAA is silent as to how a court should treat a HIPAA violation during trial, and that the type of remedy to be applied was governed by Federal Rule of Civil Procedure 37. In exercising its discretion under Rule 37, the court determined that defense counsel had believed in good faith that his communications were appropriate under Maryland law and that he had “exercised more than reasonable diligence” when determining that his contacts with the treating physician did not violate HIPAA. The court also considered relevant the fact that it had not ruled during the trial that HIPAA applied to the case and that, in any event, the court had effectively remedied any HIPAA violation by an earlier order directing that both parties could speak with the treating physician before he testified about the issues set forth in the plaintiff’s medical records.

Beard v. City of Chicago

In Beard v. City of Chicago,4 the United States District Court for the Northern District of Illinois rejected the defendant’s argument that certain medical records were privileged from production under three different statutory and regulatory schemes, including HIPAA. The plaintiff in that case, Ms. Beard, was an African-American woman who suffered from major depression. After she was terminated from her employment as a paramedic with the city of Chicago Fire Department (the “Department”), Beard filed a federal lawsuit in which she alleged discrimination on the basis of disability, race, and gender.

During discovery, Beard sought the production of documents related to leaves of absence taken by other Department paramedics due to mental health or substance abuse issues. She argued that she and such other paramedics were similarly situated and that their treatment by the Department was discoverable in connection with her discrimination claims. The defendant, the city of Chicago, objected to production of the documents on grounds that, among other things, such disclosure was barred by HIPAA. The court concluded that it was not.

In the Department’s possession were documents that, although generated in a variety of ways, all related to employees’ fitness to return to work. For example, the Department maintained medical records generated by outside medical personnel, either in the course of an employee’s treatment or at the request of the Department, to document an employee’s progress. The Department also possessed records of evaluations to assess employees’ fitness to return to work performed by outside physicians, and by physicians and other medical personnel employed by the Department in the medical section of its personnel division. Employees sent by the Department to an outside provider for such an evaluation signed a consent form in which they acknowledged that there is no treatment relationship with the evaluating physician and that the information provided by the physician is not confidential.

The court concluded that, for several reasons, HIPAA did not bar production of any of the records in the Department’s possession. First, the court determined that the Department was not a “covered entity” to which HIPAA’s privacy protections applied. There apparently having been no suggestion that the Department was either a “health plan” or a “healthcare clearinghouse,” the court focused on whether the Department was a “healthcare provider” within the meaning of the regulations. The court concluded that it was “questionable” that it was because it did not appear that “the Department’s medical section actually provides medical care; it evaluates medical conditions (and pays for fitness for return to duty evaluations) not for the purpose of treatment, but for the purpose of determining fitness to return to work.”5 The court held that, in any event, there was no evidence that the Department transmitted health information in electronic form and, therefore, it did not meet the definition of a “covered entity” under the regulations.

Next, the court held that even if the Department qualified as a covered entity under HIPAA, the information at issue was not “protected health information” to which HIPAA’s provisions applied. Noting that the definition of protected health information specifically excludes health information maintained in employment records held by a covered entity in its role as employer, the court concluded, “Plainly, the only reason that the Department maintains any records of an employee’s substance abuse or mental health treatment in connection with a [leave of absence] is because of the Department’s role as an employer.”6 Finally, the court noted that the HIPAA regulations allow a covered entity to disclose protected health information in a judicial or administrative proceeding, either in response to court order or, in the absence of an order, if reasonable efforts had been made (1) to insure that individuals who are the subject of protected health information receive notice of the request and an opportunity to object or (2) to seek a qualified protective order.

It should be noted that the court went on to hold that although HIPAA did not bar production of the records, at least some of the records were protected by the psychotherapist-patient privilege, which neither of the parties had addressed in their arguments.


As discussed above, confidentiality issues must be analyzed under both Massachusetts and federal law. The two cases summarized here serve as a reminder to Massachusetts practitioners that such issues may arise in a variety of contexts. Practitioners must be alert to issues of patient confidentiality regardless of the nature of the cases they handle.

End Notes

1. 45 C.F.R. Parts 160 and 164.[back]

2. 307 F. Supp. 2d 705 (D. Md. 2004).[back]

3. Md. Code Ann. Health-Gen. I § 4-306(b)(3).[back]

4. No. 03 C 3527, 2005 WL 66074 (N.D.Ill. Jan. 10, 2005).[back]

5. Id. at *2.[back]

6. Id. at *3.[back]

©2017 Massachusetts Bar Association