Part 1: Critical Analysis of the Law

1. Evaluate medical record release requirements in litigation. When should medical records be released?
   • Describe privileges and immunities that would protect records from release (one of each).
   • Describe how the medical record can be used as evidence and what information would be admissible.
   • Evaluate whether a medical record release in response to a medical record request of subpoena violates HIPAA.
2. Evaluate how you can balance the need to communicate via e-mail or text messaging with the HIPAA duty to keep personally identifiable information secure.
   • How would you balance HIPAA requirements with business necessities? Does e-mailing or texting violate HIPAA? Why or why not?
   • What policies and procedures would you put in place for e-mail and text messaging for a hospital (one of each)? Why?
3. Evaluate the relationship of a medical record retention policy, record destruction policies, and a litigation hold.
   • How does the litigation hold impact the other policies?
   • How can medical records, medical record retention and destruction, and medical record release policies be used as a compliance tool?
4. How could strong medical record policies and procedures and in-house legal counsel services prevent the situation described in The Tracks We Leave: Chapter 9 Information Technology Setback: Heartland Health care System? Evaluate how the AHIMA Code of Ethics and guidelines would apply to this situation. Be specific and demonstrate understanding of the risks and how the compliance tool can be used specifically to control the risks.

Part 2: Strategic Compliance with the Law

You work for a large managed care organization (MCO) that includes 5 hospitals, 25 providers clinics, 1 health insurance company, and 10 pharmacies. The MCO is using electronic health records (EHR). Your organization is not using 2015 CEHRT.

Your organization has received a large e-discovery request and you are required to respond within 30 days. Some of the records requested are held by your business associate - a pharmaceutical that runs an asthma disease management program for your program. The business associate agreement meets HIPAA requirements and requires the pharmaceutical to comply with any discovery requests.

1. Evaluate what you need to do to respond to the e-discovery request. Be sure to include the following.
   • Describe how you will identify privileged medical records and remove them from discovery disclosure.
   • Identify records subject to peer review immunity and remove them from discovery disclosure
   • Identify records that are not relevant to the lawsuit and not subject to discovery.
2. Compare and contrast a 502D court order and 502E contract waiver to protect privilege if there is an inadvertent disclosure. Which would you recommend and why?