Chapter 13: Privacy Issues in Civil Litigation and Government Investigations

Discovery Under HIPAA and GLBA

Sectoral laws coexist with discovery. HIPAA permits PHI in discovery via patient authorization, a court order, or satisfactory assurances (a qualified protective order). GLBA lets financial institutions disclose to comply with legal process and respond to judicial process, and courts read this to cover civil discovery.

HIPAA specifically addresses PHI in discovery. A covered entity may disclose PHI: (1) if the subject authorizes release; (2) absent a release, subject to a court order; or (3) subject to a discovery request if Satisfactory assurances are provided - meaning the parties have agreed to a qualified protective order and submitted it, or the requesting party has asked the court for one. A QPO bars non-litigation use and requires return or destruction of PHI.

Under GLBA, a financial institution may disclose protected information to comply with laws and legal requirements, to comply with an authorized investigation, subpoena, or summons, or to respond to judicial process or regulators with jurisdiction. Federal courts have read this to encompass civil discovery requests, though those disclosing should still obtain protective orders.

Key terms - quick answers

What is “Satisfactory assurances”?

Under HIPAA, the showing - via an agreed-upon qualified protective order submitted to the court, or a request for one - that allows a covered entity to disclose PHI in response to a discovery request.

← Electronic Discovery and ESI Cross-Border Discovery and the Hague Convention →