Campos v. Payne

OPINION OF THE COURT

Philip S. Straniere, J.

*922Defendants by their attorney have submitted a judicial subpoena duces tecum to be so ordered by the court. The subpoena, issued to Staten Island University Hospital, seeks the production of all medical records relating to plaintiffs medical treatment at the hospital as a result of an automobile accident on March 10, 1997. It also seeks all records subsequent and prior to that date and contains a notification (in caps) that “all records are to be certified.” The return date for the records is the scheduled trial date.

Based on the recent amendments to CPLR 3120, 3122, and the newly enacted CPLR 3122-a (eff Sept. 1, 2003), the provisions of the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) (Pub L 104-191, 110 US Stat 1936) and the regulations put forth by the Secretary of Health and Human Services, the court declines to sign the subpoena.

CPLR 3122, as modified, no longer requires a court order for the service of a discovery subpoena duces tecum on a nonparty. Beginning on September 1, 2003 the Legislature required the following procedure be followed:

“(a) Within twenty days of service of a notice or subpoena duces tecum under rule 3120 or section 3121, the party or person to whom the notice or subpoena duces tecum is directed, if that party or person objects to the disclosure, inspection or examination, shall serve a response which shall state with reasonable particularity the reasons for each objection. If objection is made to part of an item or category, the part shall be specified. A medical provider served with a subpoena duces tecum requesting the production of a patient’s medical records pursuant to this rule need not respond or object to the subpoena if the subpoena is not accompanied by a written authorization by the patient. Any subpoena served upon a medical provider requesting the medical records of a patient shall state in conspicuous bold-faced type that the records shall not be provided unless the subpoena is accompanied by a written authorization by the patient. The party seeking disclosure under rule 3120 or section 3121 may move for an order under rule 3124 or section 2308 with respect to any objection to, or other failure to respond to or permit inspection as requested by, the notice or subpoena duces tecum, respectively, or any part thereof.”

*923CPLR 3122 relates to the time within which the subpoenaed party has to object to the subpoena and adds important caveats regarding subpoenas served upon medical providers which if not followed would prevent delivery of the subpoenaed documents. CPLR 3122-a sets forth the requirements for certified business records to be admitted into evidence, with details regarding notice and certification procedures. CPLR 3120 adds a new requirement of mandating that a copy of every subpoena duces tecum be served not only on the custodian of the records but on all other parties. This is a substantial change in New York civil procedure. In addition once the subpoenaed records are delivered, notice must be sent to all parties of what records were actually produced and of their availability for inspection and copying.

The HIPAA was passed by Congress in 1996 and was designed to streamline and simplify the procedures regarding the exchange of patient information throughout the health care system. In enacting this legislation Congress paid particular attention to the privacy rights of patients so that personal medical data would not be inadvertently disclosed.1 At that time Congress mandated that, within 36 months, the Secretary of Health and Human Services promulgate certain regulations with respect to the statute, particularly patient privacy. The final regulations in this regard were promulgated in 2001 and went into effect in April 2003.2

HIPAA § 264 (c) (2), administrative simplification provisions (Pub L 104-191, reprinted following 42 USCA § 1320d-2), provided that the regulations “shall not supercede a contrary provision of State law, if the provision of State law imposes requirements, standards, or implementation specifications that are more stringent than the requirements, standards, or *924implementation specifications imposed under the regulation.”3 Among the thousands of comments which the proposed regulations attracted were concerns regarding the potentially negative and dilatory impact that privacy protection would have on the litigation process, particularly with respect to subpoenas for a litigant’s medical record and as the federal protections may conflict with a state’s discovery procedures. (65 Fed Reg 82462 [codified at 45 CFR parts 160, 164].) In partial response to those comments, the Secretary stated that “[protected health information is necessary for a variety of reasons in judicial and administrative proceedings. Often it may be critical evidence that may or may not be about a party. Requiring an authorization for all such disclosures would severely impede the review of legal and administrative claims. Thus, we have tried to balance the need for the information with the individual’s privacy” (65 Fed Reg 82462, 82674).

In addressing the concerns of some that the rules would conflict with existing state statutes regarding rules of evidence and discovery, the Secretary explained that the rule “permits covered entities to disclose protected health information for any judicial or administrative procedure in response to a subpoena, discovery request, or other lawful process if the covered entity has received satisfactory assurances that the party seeking the disclosure has made reasonable efforts to ensure that the individuad has been given notice of the request . . . These rules do not require covered entities or parties seeking disclosure of protected health information to involve the judiciary; they may choose the notification option rather than seeking a qualified protective order” (id.). The Secretary further noted that some states have enacted laws which reflect these concepts, for example requiring that the party seeking the records provide the health care provider with proof that notice was given to the patient whose records have been requested.

The amendments to the CPLR were designed to expedite the discovery process with respect to nonparty witnesses and the production of their records and “simplify methods for obtaining discovery of documents, particularly routine business records . . . and procuring their admission into evidence” and “alleviate burdens upon the litigants, non-party witnesses and the courts” (Mem of Off of Ct Admin, 2002 McKinney’s Session *925Laws of NY, at 2153 [“Civil Practice Law and Rules — Production of Non-Party Business Records”]). Although expediency and judicial economy are the driving force behind these statutory changes affecting litigation, the courts and Legislature have repeatedly emphasized the importance of providing a safe harbor for patient privacy.

Consequently, CPLR 3122 (a), as amended, requires that “[a]ny subpoena served upon a medical provider requesting the medical records of a patient shall state in conspicuous boldfaced type that the records shall not be provided unless the subpoena is accompanied by a written authorization by the patient.” The subpoena presented in this case neither contains this statement nor the authorization of the plaintiff and is therefore not in compliance with the statute and is therefore defective on its face.

While CPLR 3122 is primarily directed to the discovery phase of litigation, it cannot be assumed that the barriers which protect patient privacy are to be broken down on the eve of trial. Therefore, the same safeguards that the statute imposes on discovery must be continued through the trial stage. To do anything less would risk the patient’s privacy and compromise the spirit of not only the CPLR but the federal statute and its concomitant regulations. The CPLR sets forth clear directives which the party seeking the records’ production must follow when the person on whom the subpoena is served is a health care provider. It also contains the guidelines which the health care provider must follow should it choose to withhold the documents and mandates what notices must accompany any objections to the disclosure. Not only are these requirements consistent with the objectives of HIPAA and the Secretary’s regulations, but they also reflect the New York Legislature’s legitimate response to the urgent need to promote fluidity in the judicial process while maintaining the integrity of patient privacy. It would make little sense to institute this new disclosure system for pretrial discovery while maintaining a system which could eviscerate that process by the act of a judge signing her or his name on a subpoena, under the words “so ordered,” which would require production of medical records without notice to all parties. It would seem that the intent of the new legislation is to eliminate this practice and give parties the opportunity to object to the production of certain records.

This is of course an alteration of New York jurisprudence that followed the common-law principle that if one claimed a *926personal injury, the party’s entire medical and physical history was put into issue. When one brought litigation, it was considered to be a waiver of any privacy rights in this regard. The Court of Appeals in Green v Montgomery (95 NY2d 693 [2001]) analyzed several situations in which a privilege is waived where an individual affirmatively places protected information or conduct in issue and specifically dealt with civil suits for personal injuries. The Court noted (at 700): “In Dillenbeck v Hess (73 NY2d 278, 287), for example, this Court stated that a litigant waives the physician-patient privilege of CPLR 4504 when, ‘in bringing or defending a personal injury action, that person has affirmatively placed his or her mental or physical condition in issue’ (see also, Koump v Smith, 25 NY2d 287, 294). Otherwise, as we explained in Koump, a party would be able to use the privilege ‘as a sword rather than a shield,’ and a party ‘should not be permitted to assert a mental or physical condition in seeking damages . . . and at the same time assert the privilege in order to prevent the other party from ascertaining the truth’ (25 NY2d, at 294).” In the past whether the plaintiff had a terminal illness, prior or subsequent accidents, or was on medication that might impair the plaintiffs abilities in some manner were all fair game for discovery. The new system would seem to engender a process whereby the courts will become the arbiter of medical discovery in all cases requiring judges to reserve shelf space in their chambers for medical texts such as Stedman’s Medical Dictionary and the Physician’s Desk Reference in order to decide these discovery issues.

Notably, the practice in certain courts of this state has been to deny parties the opportunity to review medical records which have been produced for trial in response to a subpoena, unless the person whose medical records were produced provided a specific waiver and authorization, pursuant to Public Health Law, article 27-F, §§ 2780-2787. In Fazzolari v Spagifiore (Index No. 241 RTS 2000 [2002]), the court, noting discrepancies existing in the treatment of discovery of confidential records, found that the Public Health Law does not apply to subpoenaed records (Public Health Law § 2785 [4] [c]) and with perhaps prescient optimism, the court encouraged the Legislature “to take steps to clarify the situation to ensure the rights of all litigants are adequately protected.”

Accordingly, the court cannot “so order” the subpoena without the authorization of the party whose records are sought. To do so would be to sanction an end run around the privacy *927protections established both by Congress and the State Legislature. Production of the records can be accomplished either by complying with CPLR 3120 and 3122, or by bringing a motion on notice to all parties. Furthermore, even if the court were inclined to “so order” the subpoena, the subpoena in this case is defective in that it lacks the bolded language mandated by CPLR 3122.

. It is interesting that while on many issues debate rages over whether or not a right of privacy exists under the United States Constitution or because all human beings have such a right, Congress took steps to protect the privacy rights of individuals in regard to medical records. Although this court is not faced with the issue, if it is conceded that Congress can enact such legislation, does it diminish arguments for the existence of a “right of privacy” which cannot be limited by legislation?

. HIPAA and the regulations promulgated pursuant to HIPAA were found not to be an impermissible delegation of a legislative function; not beyond the scope of a congressional grant of authority; nor impermissibly vague (South Carolina Med. Assn, v Thompson, 327 F3d 346 [4th Cir 2003]).

. Another issue that may be debated is whether and to what extent Congress can pass legislation that affects the civil procedure of the individual states.