Protected Health Information in Mediation and Arbitration – Best Practices

November 21, 2019

I just listened in on a conference call presentation on Protected Health Information (“PHI”) in mediation and arbitration. It covered best practices for dealing with the potential disclosure of confidential patient information inherent in many healthcare disputes while navigating the requirements of HIPAA and other laws. Sponsored by the ABA Section of Litigation – Commercial & Business Litigation Committee, the program’s presenters were healthcare attorney Shannon Hartsfield and mediator – arbitrator Conna Weiner

PHI Plays a Role in Many Disputes

The presenters correctly pointed out that identifiable, individual health information protected by HIPAA appears in many healthcare disputes, including:

  • Payor-provider cases involving overpayment or underpayment 
  • Insurance coverage disputes, including medical necessity
  • Professional negligence (malpractice) claims
  • Provider v. provider business disputes implicating patient relationships 
  • Healthcare fraud allegations
  • Contract claims involving prescribed product rebate calculations 

What Are the Ground Rules?

Most importantly, parties and counsel entering a mediation or arbitration potentially involving PHI need to think about compliance with HIPAA and other laws that may apply. This sounds basic, but the issue is often overlooked.

The analysis should be something like this:

  • Will PHI be disclosed in the course of the proceeding?
  • Is one or more of the parties a Covered Entity or a Business Associate?
  • Assuming the answers to the two previous questions are yes, can the parties agree upon a way to avoid the disclosure, postpone it or limit it to the minimum amount necessary?
  • Can the PHI be de-identified? (This is harder than it might seem.)
  • Is the information subject to encryption and password protection?
  • Have the parties in mediation entered into an agreement to preserve the confidentiality of the PHI?
  • Can the parties in arbitration ask the arbitrator for a Qualified Protective Order to preserve confidentiality of PHI?
  • Are there any special considerations for compliance with laws other than HIPAA (e.g., state privacy laws, federal laws relating to highly confidential medical conditions)?

Following this analysis will very likely cause any disclosure of PHI to be HIPAA compliant (a) under the exceptions for “healthcare operations” or “judicial process,” and (b) as limited to the minimum amount of disclosure necessary.

Who is Responsible for Compliance?

The parties, if they are subject to HIPAA, are responsible for compliance with respect to all PHI. Counsel for the parties, in addition to advocating for their interests in the mediation or arbitration, must advise their clients on their compliance obligations. 

The presenters today suggested, and I agree, that the mediator or arbitrator is not a Covered Entity or Business Associate, and hence is not subject to HIPAA’s requirements. Nonetheless, neutrals generally have a broader interest in conducting the proceedings so that the parties’ participation does not violate HIPAA or any other law. The neutral must balance this objective against avoiding the role of either legal advisor to the parties or participant in their agreement concerning what is or isn’t compliant.

(Photo by Gerd Altman from Pixabay)

Leave a Comment