THE OKLAHOMA BAR JOURNAL 24 | MARCH 2026 disclosure, regardless of whether they are bound by HIPAA. The HIPAA Privacy Rule “generally prohibits a covered entity from using or disclosing protected health information unless authorized by patients, except where the prohibition would result in unnecessary interference with access to quality health care or with certain other important public benefits or national priorities.”6 Those subject to HIPAA may be liable for civil and criminal penalties for unauthorized disclosure. Key compliance considerations for attorneys include: Only Disclose PHI in Response to a Valid Medical Authorization, Court Order or for a Legally Permissible Purpose A covered entity or business associate may use or disclose PHI for treatment, payment, health care operations or for a public benefit activity without prior oral or written authorization.7 These permissible disclosures are complex and beyond the scope of this article. They are defined by statute and are the subject of helpful guidance by HHS.8 A subpoena alone is not sufficient to authorize disclosure of PHI from a covered entity or business associate.9 Any subpoena for PHI should be accompanied by a valid medical authorization, a qualified protective order signed by the court or written assurances that the issuing attorney made a good faith attempt to provide written notice of the subpoena, and the patient did not object, or the patient’s objections were resolved by the court.10 HIPAA expressly defines what constitutes a valid medical authorization.11 The Oklahoma State Department of Health Standard Authorization to Use or Share PHI includes the “core elements” required by HIPAA. It can be downloaded from the Oklahoma State Department of Health website.12 The DHS authorization form was created to facilitate the transfer of patient medical information among health care providers in Oklahoma. To be used for other purposes, such as the release of medical records in a personal injury lawsuit, additional language may be necessary. For example, to comply with Oklahoma jurisprudence, the following language may be added to the authorization: My health care providers are authorized to discuss any and all confidential medical information, subject to this authorization, with attorneys at [ ]. Their decision to communicate with said attorneys is purely voluntary and may not be compelled or prohibited by any party.13 If the disclosure is for some other legally permissible purpose, a medical authorization is not required. These permitted disclosures include preventing or controlling disease, reporting child abuse, reporting births and deaths, law enforcement purposes, reporting suspected criminal activity or other uses or disclosures required by law.14 Any disclosure of PHI by a covered entity should be approved and documented in an accounting of disclosures. This must be maintained for at least six years.15 Ensure All Devices That Receive, Store, Access or Transmit PHI Are Properly Secured and Encrypted and That Staff Is Trained on Your Compliance Practices and Incident Management Process Documents containing PHI should not be transmitted electronically without additional security protections. This generally means your systems for receiving, storing, accessing, transmitting and destroying PHI must be secure. Unlike the HIPAA Privacy Rule, which applies to all forms of PHI, the HIPAA Security Rule applies only to electronic PHI. The security rule requires any device or system that creates, maintains or transmits PHI to have technical safeguards and integrity controls, such as a security management process and data backup plan. It does not expressly require data encryption. However, depending on the size, resources and scope of PHI managed by the entity, encryption is likely considered best practice. It may also be mandated by your BAA, malpractice or cybersecurity insurance policies or other written agreements. Regardless of your security measures, you should document the rationale for your security decisions.16 Failure to comply with the security rule can result in direct enforcement action against not only a covered entity but also a business associate.17 The security management process under HIPAA requires the implementation of “policies and procedures to prevent, detect, contain, and correct security violations.”18 This includes the following required actions: Conduct an accurate and thorough risk analysis of the confidentiality, integrity and availability of PHI; Implement security measures sufficient to reduce risks and vulnerabilities, such as a security policy, use of password-protected files, data encryption and door locks on rooms where electronic PHI is stored; Statements or opinions expressed in the Oklahoma Bar Journal are those of the authors and do not necessarily reflect those of the Oklahoma Bar Association, its officers, Board of Governors, Board of Editors or staff.
RkJQdWJsaXNoZXIy OTk3MQ==