HIPAA is hard to understand, even for lawyers. One of the hardest HIPAA concepts to understand and apply is the difference between necessary and sufficient in requirements for disclosure of protected health information (“PHI”) in certain situations.

Recently, a privacy officer contacted me to get my HIPAA opinion about disclosing PHI in a custody case. The county lawyer in the case said that the records of the mother of the child could be provided to the child’s guardian ad litem—that is, a court-appointed guardian for the lawsuit as opposed to a guardian responsible for the care and custody of the child overall. The county lawyer believed that the court order authorized the guardian to get the child’s records and included adult records. The privacy officer, whom I have worked with in the past and who is very sharp, did not believe this theory to be correct.

The court order appointed the guardian ad litem “for the purpose of making an investigation of the best interest of the above named minor as to the physical placement of said child.” It went on to authorize the guardian to “have access to all records of any kind pertaining to said child.” The order also stated: “IT IS FURTHER ORDERED that the Guardian ad Litem shall have access to all records of any kind pertaining to the said minor child. The records which shall be open for inspection and copying shall include, without elimination by enumeration, school, health, and medical, peace officer’s, law enforcement, court, psychological, psychiatric, social services, and any other records relating to or involving the named minor child.”

The next paragraph of the order provided: “[T]he guardian ad litem shall have access to all such enumerated records in full, even to the extent that such records disclose information relating to any adults or other minor child who have or may come into contact with the named minor child.”

State law in the state where this case came up requires an informed consent from the guardian (the court-appointed legal guardian care giver, not the guardian ad litem for the court case) or a court order and requires any release of substance abuse treatment records to comply with 42 C.F.R. Part 2.

Thus, the county attorney’s position was some kind of juxtaposition of the guardian’s consent and/or the position that the language in the court order appointing the guardian provided the legal basis for the disclosure in the custody proceedings.

To understand why the state law and the court order were inadequate to authorize the custodian of the records to provide them, consider the legal concept of necessary and sufficient conditions of the existence of something, such as a contract, a legal status, or the like. One can view a necessary condition as a required building block of that existence. Let’s take as an example probable cause to search. The first necessary condition is that it is more likely than not that a crime has been committed. The second necessary condition is that evidence, contraband, or fruits of that crime are in the particular place to be searched. So you cannot search my house just because I am suspected of having committed a crime. You have to have a reasonable belief that I hid in my house the loot from the robbery that I had committed.

Neither necessary condition standing alone, however, is a sufficient condition that probable cause exists. You need both necessary conditions to have a sufficient determination that probable cause to search exists. Does that determination mean that you can search? Not yet, because you still need the necessary condition of a search warrant or a substitute therefor, such as the automobile exception—that is, it can easily be driven away, so there may not be enough time to get a warrant. The three elements, taken together, are sufficient to provide the authority to search—a warrant or substitute thereof based on probable cause.

So, in this situation, a person with authority must authorize the disclosure of the records, or a judge must authorize the disclosure by court order. Each is a necessary condition butm even taken together, not sufficient. The guardian, while perhaps a person with authority, such as a guardian ad litemm, rather than a permanent guardian, did not submit a HIPAA compliant authorization for the disclosure to the court. Nor did the court order contain the requisite language for a HIPAA-compliant Qualified Protective Order. Although it authorized the guardian to disclose the health information, it did not comply with the privacy protections for court proceedings that HIPAA requires.

This issue is further complicated by the substance abuse confidentiality protections in 42 C.F.R. Part 2, which specify additional safeguards for disclosure of such information in court proceedings.

Remember that HIPAA pre-empts—that is, trumps—state law unless the state law, among other grounds not relevant here, provides more privacy protection. Here, the court order and any argument that state law authorizes the guardian’s disclosure in judicial proceedings provide less privacy protection than HIPAA does.

Having served as an expert witness on HIPAA in a similar state court case in a different state, I not so jokingly say that such situations as this one demonstrate that the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) is really just the cover name for the law. Surely, the real name is the Health Lawyers’ Full Employment Act!

Heads-up reminder again: We plan to conduct our two-day Hands-on HIPAA workshop in the Kansas City area, at the Baker University campus at Metcalf and College, on Thursday and Friday, March 15–16, 2018. Advance registration for the two-day Hands-on HIPAA workshop is $1,095 through Valentine’s Day, February 14, 2018, and regular registration thereafter goes up to $1,295. Registration includes a Gap Analysis Survey Questionnaire, which we will need for you to fill out and return to us so that we can help you identify where you are in your HIPAA compliance efforts, where you need to be, and exactly how to fill that gap and write a report tailored to your organization. Registration also includes copies of the following books: Your Happy HIPAA Book, The Complete HIPAA Policies and Procedures Guide, with accompanying CD, HIPAA in the Digital Age (forthcoming), and HIPAA Hysteria, perhaps among others. During the two days, you will use your Gap Analysis and our report about it to develop your initial Risk Analysis or update your last year’s version with help from our faculty and our Risk Analysis ToolKit. Then, with more help from our faculty, you will use your completed Risk Analysis and our CD of sample policies and procedures to develop your policies and procedures, required, addressable, and others, tailored to your organization. To help you maintain your stamina during this workshop designed to help you get your organization HIPAA compliant, your registration will also include refreshments during the sessions, two lunches, and a happy hour on Thursday evening, tentatively planned for at a nearby Hilton. Registration is available on our website here. More exact info to follow, so stay tuned and block out your calendars! Thanks. We look forward to seeing you and to helping you achieve your HIPAA compliance goals. Happy New Year!