NRPM: Standards for Privacy of Individually Identifiable Health Information. v. Disclosure of information compiled for a legal proceeding.


In § 164.514(b)(1)(v), we are proposing that covered plans and providers be permitted to deny a request for inspection and copying if the information is compiled in reasonable anticipation of, or for use in, a legal proceeding. This provision would permit the entity to deny access to any information that relates specifically to legal preparations but not to the individual’s underlying health information. For example, when a procedure results in an adverse outcome, a hospital's attorney may obtain statements or other evidence from staff about the procedure, or ask consultants to review the facts of the situation for potential liability. Any documents containing protected health information that are produced as a result of the attorney’s inquiries could be kept from the individual requesting access. This provision is intended to incorporate the attorney work-product privilege. Similar language is contained in the Privacy Act and has been interpreted to extend beyond attorneys to information prepared by "lay investigators."

We considered limiting this provision to “civil” legal proceedings but determined that such a distinction could create difficulties in implementation. In many situations, information is gathered as a means of determining whether a civil or criminal violation has occurred. For example, if several patients were potentially mistreated by a member of a provider’s staff, the provider may choose to get copies of the patients’ records and interview other staff members. The provider may not know at the time they are compiling all of this information whether any investigation, civil or criminal, will take place. We are concerned that if we were to require the entity to provide the individual with access to this information, we might unreasonably interfere with this type of internal monitoring.