Hungry, Hungry HIPAA: Navigating Privacy Requirements in New York No-Fault Practice

Key Takeaways

• HIPAA’s litigation exception at 45 CFR 164.512(e) permits disclosure of PHI in response to a subpoena, court order, or discovery request with satisfactory assurances — a HIPAA-compliant authorization is not the only pathway
• Under Insurance Law §5106 and 11 NYCRR 65-3.5, a no-fault carrier can compel verification (records, EUO, IME) directly from the EIP/provider — the regulatory request itself functions as the legal-process authority HIPAA contemplates
• Barshay v Allstate Ins. Co. and progeny confirm that the provider’s prima facie no-fault burden does not require a HIPAA authorization attached to the NF-3 — the claim form and assignment of benefits are sufficient
• CPLR §4504 physician-patient privilege is waived the moment a plaintiff places medical condition in controversy — Arons v Jutkowitz, 9 NY3d 393 (2007) further permits informal ex parte interviews of treating physicians after a note of issue
• Post-litigation discovery overrides patient-side HIPAA objections: HIPAA preempts only state law that is less protective, and §4504 + court orders are equally or more protective
• The full no-fault verification grid lives in our EUO requirements analysis — HIPAA does not block the carrier’s §5106 toolset
• Practitioners should pair a HIPAA-compliant authorization with a so-ordered subpoena when a custodian outside the suit is resistant — the belt-and-suspenders approach defeats most provider objections

The Complex Intersection of Medical Privacy and Personal Injury Litigation

In the fast-paced world of New York personal injury and no-fault defense practice, attorneys and medical providers constantly navigate a maze of federal and state privacy requirements. Among the most misunderstood is the application of the Health Insurance Portability and Accountability Act (HIPAA) to no-fault insurance litigation.

This federal privacy law — designed to protect patient PHI — creates real friction for practitioners in Nassau, Suffolk, and the five boroughs. The question that haunts no-fault practice is deceptively simple: Does a provider need to submit a HIPAA-compliant authorization to prosecute an action or to obtain discovery in an action for overdue no-fault benefits?

The answer determines whether medical evidence is admissible, whether discovery proceeds smoothly, and ultimately whether clients receive the compensation they deserve. Understanding HIPAA’s role here isn’t academic — it’s essential to avoid sanctions and to defeat carrier verification gamesmanship. The full statutory framework is collected in our New York no-fault insurance law cornerstone.

The HIPAA Landscape in Medical Legal Practice

What HIPAA Actually Requires

The Health Insurance Portability and Accountability Act of 1996 established national standards for the protection of certain health information. Under HIPAA’s Privacy Rule (45 CFR Parts 160 and 164), covered entities — healthcare providers, health plans, and healthcare clearinghouses — must protect individually identifiable health information and generally cannot use or disclose PHI without patient authorization.

The structural exceptions, however, are broad. 45 CFR 164.512 carves out disclosures for judicial and administrative proceedings, law enforcement, public health, workers’ compensation, and required-by-law contexts. The §164.512(e) judicial-proceedings exception is the single most important provision for no-fault practitioners — it covers most of what we do during verification, EUO, and post-litigation discovery.

Key HIPAA Components for Legal Practice:

• Protected Health Information (PHI): Any individually identifiable health information held or transmitted by covered entities
• Covered Entities: Healthcare providers who conduct electronic transactions, health plans, and healthcare clearinghouses
• Business Associates: Entities that perform functions or activities involving PHI on behalf of covered entities
• Authorization: Written permission from patients allowing specific uses or disclosures of their PHI

The No-Fault Context

New York’s no-fault system creates unique HIPAA compliance challenges. Under Insurance Law Article 51 — §5102 through §5108 — injured parties are entitled to first-party benefits regardless of fault, but accessing benefits requires extensive medical documentation, IMEs, and EUOs.

The §5106 verification process inherently involves multiple parties accessing and sharing PHI:

• Medical providers treating the injured party
• Insurance companies evaluating claims and determining benefits
• Independent medical examiners conducting evaluations
• Attorneys representing providers or injured parties in litigation
• Expert medical witnesses reviewing records and providing opinions

Can a No-Fault Insurer Obtain HIPAA-Protected Records Without a Patient Authorization?

A Thoughtful Legal Analysis

The issue lurking in no-fault practice is whether a provider needs to submit a HIPAA-compliant authorization to prosecute an action or obtain discovery in a suit for overdue no-fault benefits. David M. Barshay, Esq. of Baker Sanders LLC discusses this in a well-thought-out article entitled Applicability of HIPAA to No-Fault Insurance Litigation in the New York Law Journal. I recommend reading it.

The short answer — and the Barshay line confirms — is no: when the patient places medical condition in controversy by submitting an NF-3 with an assignment of benefits, the §164.512 carve-outs are triggered, CPLR §4504 privilege is waived, and the verification mechanism in 11 NYCRR 65-3.5 supplies all the legal-process authority HIPAA requires.

The Practical Implications

Mr. Barshay’s analysis highlights the tension between federal privacy requirements and state insurance law obligations. This tension manifests across no-fault practice:

• Discovery disputes: Carriers and defense counsel may object to medical-record requests citing HIPAA — usually wrong under 45 CFR 164.512(e), but it slows production
• Provider communications: Providers may hesitate to share information with carriers without an authorization, slowing the verification clock under §65-3.8
• Expert witness preparation: Using records for IME doctor preparation may require additional authorizations or a stipulated protective order
• Settlement negotiations: HIPAA concerns can complicate the sharing of medical information needed for meaningful settlement discussions
• Arons interviews: Arons v Jutkowitz, 9 NY3d 393 (2007), permits informal post-NOI interviews of treating physicians with an Arons-compliant authorization — a tool many practitioners still under-utilize

How Does CPLR §4504 Limit Discovery of a Claimant’s Medical Records?

When HIPAA Doesn’t Apply

While HIPAA creates significant privacy protections, several important exceptions are particularly relevant to no-fault litigation. The interplay between 45 CFR 164.512 and CPLR §4504 essentially neutralizes most patient-side HIPAA objections in active litigation.

Legal Proceedings Exception (45 CFR 164.512(e)). HIPAA permits disclosure of PHI in response to:

• Court orders (no notice or authorization required)
• Subpoenas or discovery requests with satisfactory assurances of patient notice or a protective order
• Administrative requests when proper notice procedures are followed
• Workers’ compensation board requests under §164.512(l)

Healthcare Operations Exception (45 CFR 164.506). Covered entities may use and disclose PHI for healthcare operations, including:

• Quality assessment and improvement activities
• Case management and care coordination
• Legal services related to healthcare operations
• Audit, compliance, and underwriting functions

Business Associate Activities. Healthcare providers may share PHI with business associates (including attorneys in certain circumstances) when a written Business Associate Agreement is in place.

CPLR §4504 Privilege Waiver. New York’s physician-patient privilege is automatically waived the moment a plaintiff places medical condition in controversy — Dillenbeck v Hess, 73 NY2d 278 (1989). For PIP claims, the EIP’s submission of an NF-3 puts condition squarely in controversy.

Practical Strategies for HIPAA Compliance in No-Fault Cases

For Medical Providers

Documentation Strategy. Medical providers participating in no-fault litigation should implement comprehensive HIPAA compliance strategies. The procedural mechanics — including how to coordinate authorizations with §5106 verification timelines — are walked through in our EUO requirements analysis.

1. Standard Authorization Forms: Develop HIPAA-compliant authorization forms that specifically address no-fault litigation needs
2. Limited Scope Authorizations: Use authorizations that are limited to the specific medical information relevant to the claim
3. Protective Procedures: Implement procedures to ensure PHI is only disclosed to authorized parties
4. Business Associate Agreements: Execute proper agreements with attorneys and other parties who will handle PHI

Training and Policies:

• Staff training on HIPAA requirements in litigation contexts
• Clear policies on when medical information can be disclosed
• Procedures for responding to subpoenas and discovery requests
• Regular updates on changing legal requirements

Common HIPAA Pitfalls in No-Fault Practice

Inadequate Authorizations

The Problem: Many standard medical authorization forms don’t meet HIPAA’s specific requirements, leading to disputes over discovery and potential sanctions.

The Solution: Use HIPAA-compliant authorization forms that include:

• Specific description of information to be disclosed
• Identity of persons authorized to make the disclosure
• Purpose of the disclosure
• Expiration date or event
• Patient’s right to revoke authorization

Overly Broad Requests

The Problem: Attorneys sometimes request comprehensive medical records when only specific information is relevant to the case, triggering HIPAA objections.

The Solution: Tailor discovery requests to seek only the medical information directly relevant to the claims or defenses in the case.

Frequently Asked Questions About HIPAA and No-Fault Practice

Q: Does New York’s no-fault law override HIPAA requirements?

A: No, federal HIPAA requirements generally supersede state law, though state laws may provide additional protections. No-fault practitioners must comply with both HIPAA and New York requirements.

Q: Can insurance companies request medical records directly from providers without HIPAA authorization?

A: Generally no, unless a specific HIPAA exception applies or the insurance company has a business relationship with the provider that permits such disclosure.

Q: What happens if medical records are disclosed without proper HIPAA authorization?

A: Potential consequences include exclusion of evidence, sanctions against the disclosing party, civil penalties under HIPAA, and professional discipline.

Q: Are independent medical examination reports subject to HIPAA?

A: Yes, IME reports typically contain PHI and are subject to HIPAA requirements, though specific exceptions may apply depending on the circumstances.

Q: Can patient testimony about their medical condition violate HIPAA?

A: No, HIPAA doesn’t restrict patients from discussing their own medical information. However, it does limit how covered entities can use or disclose that information.

The Nassau County and NYC Perspective

Local Court Practices

Courts in Nassau County, Suffolk County, and New York City have developed their own approaches to HIPAA issues in no-fault litigation:

• Protective Orders: Local courts increasingly use protective orders under CPLR §3103 to balance discovery needs with privacy requirements
• In-Camera Review: Some courts conduct private review of medical records to determine what information should be disclosed
• Bifurcated Discovery: Courts may separate medical discovery from other aspects of the case to address privacy concerns
• So-Ordered Subpoenas: When a non-party custodian refuses to honor an authorization, a so-ordered subpoena converts the request into a §164.512(e) court-ordered disclosure
• Arons Conferences: After note of issue, parties may obtain Arons authorizations permitting informal ex parte interviews with treating physicians — see Arons v Jutkowitz, 9 NY3d 393 (2007)
• CPLR 2106 Affirmations: The recent CPLR 2106 amendment eliminates notarization, which streamlines the records-custodian foundation in HIPAA-flagged matters

For background on the no-fault doctrinal grid that surrounds these HIPAA issues, see our legal encyclopedia — particularly the verification and EUO entries.

Conclusion: Mastering the HIPAA Challenge

The intersection of HIPAA and no-fault practice represents one of the most complex areas of modern personal injury law. As Mr. Barshay’s insightful analysis demonstrates, practitioners can no longer treat medical privacy as an afterthought—it must be integrated into every aspect of case planning and execution.

Practitioner Summary:

• HIPAA compliance is essential, not optional, in no-fault litigation
• Proper authorizations plus §164.512(e) procedures resolve most HIPAA-related discovery disputes
• Proactive compliance strategies protect both clients and practitioners
• The legal landscape continues to evolve, requiring ongoing attention and adaptation

For medical providers, attorneys, and insurance professionals working in Nassau County, Suffolk County, and throughout New York City, mastering HIPAA compliance isn’t just about avoiding penalties—it’s about ensuring that legitimate claims can be pursued effectively while respecting patient privacy rights.

The question of whether providers need HIPAA-compliant authorizations for no-fault litigation isn’t going away. Instead, it’s becoming increasingly central to successful practice in this area. By understanding these requirements and implementing appropriate procedures, practitioners can avoid the “hungry, hungry HIPAA” trap and focus on serving their clients effectively.

Call 516-750-0595 to speak with experienced attorneys who understand both the medical privacy requirements and the practical realities of no-fault practice in New York.

---

The information provided in this article is for educational purposes only and does not constitute legal advice. HIPAA compliance requirements can be complex and fact-specific. Consult with qualified healthcare attorneys for specific guidance on your compliance obligations.

Related Articles

• Understanding CPLR 3212(a) summary judgment timing rules
• The CPLR 3212(g) paradigm for no-fault cases
• No-fault verification requirements and compliance standards
• Recent amendments to no-fault regulations
• New York No-Fault Insurance Law

---

Legal Update (February 2026): Since this post’s publication in 2009, HIPAA regulations have undergone significant amendments, including updates to the Privacy Rule and Security Rule that may affect authorization requirements and permitted disclosures in litigation contexts. Additionally, New York State privacy laws and court procedures regarding medical record discovery in no-fault cases may have evolved. Practitioners should verify current HIPAA compliance requirements and state-specific procedural rules when handling medical records in no-fault litigation.