Doctor, Doctor, Give Me the News: Handling IRS Summonses for HIPAA Medical Records
Although doctors, dentists, and others in the medical profession are familiar with the requirements of HIPAA, some IRS Revenue Officers and Revenue Agents are not well-versed in the privacy protections of the act. When a doctor, dentist, or psychiatrist receives a request for medical records (e.g., by way of an IRS summons) it will be incumbent on the health care professional to ensure that the IRS request complies with the disclosure requirements for HIPAA or to educate the agent on the acceptability of alternative (or redacted) records.
As stated in the IRS Office of Chief Counsel’s Notice on HIPAA and summonses (CC-2004-034):
While the Service maintains the ability to summon information under the privacy rules, the rules impose additional requirements on the Service for administrative summonses. Protected health information sought pursuant to a summons must satisfy an additional three-pronged test: (1) the information sought must be “relevant and material” to a “legitimate law enforcement inquiry”; (2) the request must be “specific and limited in scope to the extent reasonably practicable in light of the purpose for which the information is sought”; and (3) “de-identified information could not reasonably be used.” 45 C.F.R. § 164.512(f)(1)(ii)(C). These privacy rules are in addition to any statutory or judicial requirement for issuing a summons. To satisfy the requirements of the three pronged test, the Service should supplement any summons for protected health information with a statement that the three prongs have been met. Under the privacy rules, a covered entity may reasonably rely on such statements and produce summoned information. 45 C.F.R. § 164.514(h)(2).
The Service should also incorporate these standards when drafting affidavits to accompany suit requests to enforce summonses.
[Footnotes omitted.]
If there is no statement as to the three-pronged test accompanying the IRS summons or other request, the IRS may not have properly justified the production of HIPAA-protected documents and the doctor, dentist, or other health professional may have grounds to provide alternative documents without HIPAA identifiers. Of course, any time anything less than a full response is provided, the IRS should be informed of the grounds for omission to avoid misunderstandings.
HIPAA laws and IRS procedures are complicated and I would not advise that any taxpayer engage in self-help when these matters coincide. A legal professional with experience in these areas should be consulted as to the particular facts of your case.
The author of this post is Daniel Layton, a former IRS trial attorney and federal prosecutor in the Tax Division of Los Angeles’s U.S. Attorney’s Office.
Posted on 07/18/2020 by Daniel Layton.