This is the property of the Daily Journal Corporation and fully protected by copyright. It is made available only to Daily Journal subscribers for personal or collaborative purposes and may not be distributed, reproduced, modified, stored or transferred without written permission. Please click "Reprint" to order presentation-ready copies to distribute to clients or use in commercial marketing materials or for permission to post on a website. and copyright (showing year of publication) at the bottom.

Health Care & Hospital Law,
Data Privacy

Feb. 23, 2021

Rewiring doctors’ and lawyers’ ‘HIPAA-campi’

On Jan. 21, the Department of Health and Human Services issued a notice of proposed rulemaking to modify the HIPAA privacy rule to address barriers that limit or discourage care coordination and case management communications between covered entities and individuals. Such proposed change must also account for the influence of medical-legal partnerships in delivering legal and medical services.

An Thien (Andy) Tran

Staff Attorney, Health Unit, Public Law Center

This article is about confused lawyers, confused doctors, and untreated patients. More often than not, lawyers and doctors find themselves at odds in medical malpractice lawsuits. But today, they share a common enemy: HIPAA.

The Health Insurance Portability and Accountability Act is arguably as intriguing, yet unresolved, as time-travel-movie arcs imagined by Christopher Nolan. Broadly, HIPAA allows health care providers to disclose a patient's protected health information to other public or private-sector entities that provide social services, depending on the circumstances. As a matter of conservative practice, health providers generally obtain patient authorization before disclosure. But where disclosure is made to social service agencies, community-based organizations, and third parties that provide health-related services for "care coordination" and "case management," health providers actually don't have to. Many doctors are unaware of the law's leniency. HIPAA and the Department of Health and Human Services neither expressly define "care coordination" and "case management" nor third parties that provide "health-related" services. Naturally, doctors are left confused about which third parties are entitled to receive protected health information, even when coordinating value-based services with their legal partners who are lawfully privy to such information.

A coordinated, service-driven relationship between lawyers and doctors is grounded in medical-legal partnerships, or MLPs. According to Brown University's School of Public Health Associate Professor Elizabeth Tobin-Tyler, an MLP is "a health care delivery model that integrates legal assistance into health care institutions serving the most vulnerable patient populations to address the social determinants of health." Lawyers are integrated into the health care team, informing MLPs about a dynamic understanding of social determinants of health (e.g., socioeconomic status, housing, food security, education) that influence someone's health status and accessibility to quality treatment. Doctors can help resolve patients' issues that cannot be diagnosed with a stethoscope. And as MLPs are increasingly integrated into community-health centers around the United States, it would be naïve to continue characterizing them as a movement; they are a national practice model.

Appropriately, legal advocates are an important gateway to legal and health services for vulnerable communities. However, MLPs face significant privacy and data-sharing challenges. Not only are medical professionals subject to various federal privacy and health laws, but lawyers must abide by attorney professional conduct rules. These laws and rules hamper a free exchange of patient-client information between medical and legal partners, presenting legal, ethical, and operational challenges.

Since HIPAA's passage, there has been widespread confusion about HIPAA on both individual and institutional levels of health care. For example, staff members and others within a medical partner organization may withhold information from the MLP legal partner based on a misunderstanding of the law, invoking HIPAA and other privacy laws. Health providers and their staff often fear that disclosing patient information could lead to lawsuits, large regulatory fines, or employment termination. Also, HIPAA's privacy norms, coupled with significant sanctions, influence social values and customs, where sharing protected health information is viewed as morally problematic creating a culture of privacy paranoia. Accordingly, medical providers resist sharing protected health information even if legally permissible. But an MLP is not directly subject to HIPAA, because they are neither providers, health plans, clearinghouses nor act as business associates of "covered entities." The patient is the central focus of both health and legal services.

Ethically, medical providers may be unwilling to share protected health information with an MLP legal partner due to concerns about how the legal partner might use (or misuse) that information. However, attorney professional rules govern lawyers practicing in the MLP context, ensuring that they themselves and non-lawyer MLP professionals adhere to those rules during the legal representation of patients.

Operational challenges may also block the sharing of protected health information among MLP partners because obtaining patient authorization to share protected health information from the medical partner to the legal partner requires an onslaught of tedious steps: informing patients about their privacy rights and what information will be disclosed, obtaining patient signatures, and tracking consents. In fact, medical partners and legal partners that are not fully integrated MLPs (i.e., legal services on-site at medical institutions) generally have separate recordkeeping procedures and documentation systems that are specific to the services that they deliver. These administrative obstructions are costly and operationally burdensome. A fluid exchange of information is central to MLPs' abilities to serve vulnerable populations, particularly communities of color and low-income individuals and families.

HHS recognizes these bottlenecks and published a proposed rule amending the HIPAA privacy rule to allow additional flexibility for covered entities to promote care coordination and case management. Specifically, it would expressly permit covered entities to disclose protected health information to social services agencies, community-based organizations, and other similar third parties, either as a treatment activity of a covered health care provider or as a healthcare operations activity. Such disclosures would not require patient authorization.

It requests public comment on whether the proposed change would remove perceived barriers to disclosing protected health information to social services agencies and community-based organizations to better enable individual-level care coordination and case management. The short answer may be yes. HIPAA, in and of itself, presents legal, ethical, and operational barriers to the establishment of MLPs and effective communication between medical and legal partners. MLPs are gamechangers in both the legal and medical worlds, because they are dedicated to providing direct legal assistance and advocacy to those with health-harming legal and social threats. HHS should expressly list or define MLPs as a group of organizations that can freely exchange protected health information without authorization to debunk confusion amongst doctors, lawyers, and patients.

The public comment period ends on March 22. 


Submit your own column for publication to Ben Armistead

For reprint rights or to order a copy of your photo:

Email for prices.
Direct dial: 949-702-5390

Send a letter to the editor: