Safeguarding Confidential Health Information of Clients and Third Parties
Opinion rules that a lawyer must use reasonable care under the circumstances to protect from disclosure a client's confidential health information and is encouraged, but not required, to use similar care with regard to health information of third parties.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the US Department of Health and Human Services to establish a set of national standards for the protection of certain health information including identifiable medical records of individual patients. Pursuant to this mandate, the US Department of Health issued Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule) which establishes national standards for the protection of protected health information. The Privacy Rule applies to health plans, health care clearinghouses, and to any health care provider who transmits health information in electronic form in connection with certain specified transactions.1
Lawyers frequently obtain medical records and health information of both clients and opposing parties in conjunction with the prosecution or defense of medical malpractice and personal injury cases and other representations involving questions of injury or disability. It does not appear that lawyers or law firms are covered by the Privacy Rule.2 However, in light of the public policy favoring the protection of sensitive medical information that is manifested by the Privacy Rule, what actions should a lawyer take to safeguard the health information of a client from disclosure to unauthorized persons?
The duty of confidentiality set forth in Rule 1.6 of the Rules of Professional Conduct prohibits a lawyer from revealing information acquired during the professional relationship unless the client gives informed consent, the disclosure is impliedly authorized to carry out the purpose of the representation, or the disclosure is otherwise permitted by the Rules. Comment  to Rule 1.6 observes that the confidentiality rule applies "not only to matters communicated in confidence by the client, but also to all information acquired during the representation." Therefore, health information obtained during the representation of a client is clearly covered by the duty of confidentiality.
Neither Rule 1.6 nor the comment to the rule provide guidance on the standard of care that a lawyer must use in fulfilling the duty of confidentiality. However, in the absence of a specific mandate, a lawyer is generally expected to use reasonable care in fulfilling his or her duties under the Rules. See Rule 0.2, Scope ("The Rules of Professional Conduct are rules of reason."). For example, RPC 133 states that a law firm is not required to shred waste paper that includes confidential client information and may recycle the waste paper provided the lawyer determines that
those persons or entities responsible for the disposal of waste paper employ procedures which effectively minimize the risk that confidential information might be disclosed...[and] custodial personnel…are conscious of the fact that confidential information may be present in waste paper products and are aware that the attorney's professional obligations require that there be no breach of confidentiality in regard to such information.
Similarly, RPC 215 provides that a lawyer may communicate confidential client information over a cellular or cordless telephone, despite the risk of interception, because the duty of confidentiality "does not require that a lawyer use only infallibly secure methods of communication." Instead, the lawyer "must use reasonable care to select a mode of communication that, in light of the exigencies of the existing circumstances, will best maintain any confidential information that might be conveyed in the communication." Id.; accord RPC 133 (some client information may be so sensitive that the duty can only be satisfied by shredding waste paper). Thus, the standard of care for safeguarding client confidential information is reasonable care as dictated by the circumstances.
In determining the degree of protection and care with which a client's health information is handled, the public policy of providing substantial protection for the privacy of such information which is expressed in the Privacy Rule should inform the actions of lawyers and law firms, particularly with regard to the disposal of such records.
Lawyers may receive the health information of an opposing party or other third party in conjunction with the representation of a client. What duty does a lawyer have to protect the privacy of the health information of a third party?
Any information acquired during the course of a representation, including information of third parties, is confidential and may only be disclosed as authorized by Rule 1.6. Nevertheless, even if disclosure is permitted under the Rules, lawyers are encouraged to respect the privacy of third parties and to handle and dispose of health information of third parties with the same care that would be used with regard to the health information of a client.
It goes without saying that if a lawyer determines that health information in his or her possession is subject to the requirements of the Privacy Rule, the lawyer must follow the mandates of the rule with regard to the retention, transmission, or disposal of the health information.