Medical records are pivotal in any medical-legal case and for successful case resolution these documents have to be obtained during discovery. Custodians of medical records have to be HIPAA compliant, and also compliant with HITECH as well as various state Data Breach Notification laws. Custodians can release the medical records only with a valid authorization or subpoena. This brings us to the question of medical record retrieval. If all the records are to be obtained in time for settlement meetings, depositions and other discovery related requirements, continuous follow-up is to be made by the person requesting the medical records. Law firms either do the record retrieval in-house or outsource to medical record retrieval companies. The custodians of medical records as well as law firms, corporate legal departments and the various services they use must maintain compliance with HIPAA, HITECH and other relevant Data Breach Notification laws. The last mentioned, namely, Data Breach Notification laws are applicable to almost all types of businesses whereas HIPAA and HITECH are applicable only to certain types of corporations and their outside counsel.
Now 47 states in the United States have Data Breach Notification laws, and these laws are much broader than HIPAA. They require law firms and businesses to safeguard personal/sensitive information of their clients, such as tax information, credit card information, social security numbers, driver’s license numbers and all other types of personal information corporations and law firms may obtain in their regular course of business. Confidential correspondence between attorneys and their clients may also be at risk in the absence of appropriate security measures. The laws related to Data Breach follow the state law where the business is located as well as that of the state where the individual resides irrespective of whether the individual is the client of the business. Insurance companies that may have individuals residing in different states are likely to be affected more by these laws.
The 47 states that have Data Breach Notification laws require businesses to notify the individual regarding the breach. Some states require businesses to inform the attorney general and credit reporting agencies, depending on the number of individuals affected.
Some US states have set time periods within which the affected individual must be notified whereas some other states require individuals to be notified within “reasonable time.” The time periods differ in different states.
Now, let us go back to medical record retrieval services/vendors that access medical records and personal information of individuals. If these services suffer a breach, the law firm/corporation is likely to be held responsible and may have to pay fines. They may also have to face legal action, and also report the data breach to the individuals affected as well as government agencies. Undoubtedly, therefore your choice of record retrieval service must be carefully made. With outsourced services, there is a likelihood of data breach during electronic transmission of PHI (protected health information) if adequate security measures are not implemented. Apart from medical records, record retrieval companies may also obtain other types of records including employment records that may not be covered under HIPAA but may contain financial or personal information that fall under Data Breach Notification laws. It is this information that cybercriminals often target for fraudulent activities. Therefore, law firms and corporate legal departments using outsourced services must make sure that they are partnering with vendors that can establish their compliance with all relevant security regulations.