Requests by attorneys for Kobe Bryant seeking hospital medical records of the woman who accused him of sexual assault have raised questions about medical privacy and whether a new federal law provides sufficient protections.
A sweeping federal law enacted in April was designed to prevent the release of medical information without first obtaining proper legal authority or the patient's consent.
The Health Insurance Portability and Accountability Act, or HIPAA, set for the first time a national standard for medical privacy, giving patients greater control over their health records and making illegal what once was merely unethical.
Though the 443-page HIPAA laws aren't widely understood by the public, health officials say medical records are safer and more secure now than ever. In almost all circumstances without a patient's authorization, medical information is off-limits to the media, drug companies, employers and even family members.
"Medical records are locked up," said Joan Brisard, director of medical records at UCLA Medical Center and Santa Monica-UCLA Medical Center. "No one can just walk in off the street and get them."
The federal law, however, changed little about how medical records are obtained in legal cases.
When a patient's medical records are deemed pertinent to a criminal or civil case -- a point being debated in the Bryant case -- they may have to be surrendered even without the patient's consent, legal experts say.
Hospitals routinely are required to release patient medical records when served with warrants, subpoenas or court orders seeking the release of information.
UCLA Medical Center, for example, fields about 200 such requests a month, Brisard said. The patient or the hospital can fight the records' release, but these efforts often are unsuccessful, legal experts say. Few hospitals or medical offices challenge the court's decision ordering release of the records, and appeals seldom are successful, experts say.
Attorneys for the Colorado hospital where the 19-year-old woman was hospitalized in February are fighting the subpoena to release her records.
The woman's attorneys also are trying to block moves by Bryant's attorneys to get access to her medical records from two other area hospitals. In both instances, the woman hasn't consented to the release of her records, the woman's attorneys said.
HIPAA generally provides tougher privacy protections for a patient's mental health treatments.
The most notable change was to block health insurers from reviewing treatment notes from psychotherapy sessions. Previously, health-care plans could access such notes to justify additional treatment.
Because of the breadth of the HIPAA laws, some doctors and hospitals aren't up to speed on all its intricacies, legal experts say, thus allowing the mistaken disclosure of protected information.
In a few cases, records are obtained through criminal behavior.
"In high-profile cases where there's a high level of press interest, there are some [who illegally] pay for or find a staff person at a hospital to get the information," said Janlori Goldman, director of Georgetown University's Health Privacy Project.
In such cases, where criminal intent is involved, Goldman said HIPAA doesn't go far enough to safeguard patients. HIPAA laws don't allow individual patients to sue. Instead, patients must file a complaint within 180 days of the incident, and the government will decide whether to pursue a case.
"Medical privacy is better protected than it was before HIPAA," Goldman said. "But hospitals, health plans and doctors' offices have a long way to go in explaining rights to patients."