HIPAA in a Mental/Behavioral Healthcare Facility Bankruptcy: Authorizing the Patient Care Ombudsman’s Access to Medical Records


The Business Advisor

Winter 2018

On January 12, 2017, I was appointed Patient Care Ombudsman (PCO) for North Philadelphia Health System (NPHS), a debtor in a chapter 11 bankruptcy currently pending before the U.S. Bankruptcy Court for the Eastern District of Pennsylvania (“Bankruptcy Court”). NPHS operates Girard Medical Center and the Helen L. Goldman Rehabilitation Center (“Goldman Clinic”), which share a campus in North Philadelphia. Girard Medical Center provides behavioral and mental health treatment primarily, but not exclusively, on an inpatient basis. The Goldman Clinic provides substance abuse treatment on an outpatient basis.

As PCO, my primary duty was monitoring the quality of patient care and safety at NPHS. 11 U.S.C. § 333(b)(1). Arising from that duty was the charge of representing the interests of patients, particularly by raising healthcare quality and safety issues (including issues relating to the privacy and security of patient medical records) to management, the United States Trustee, and the Bankruptcy Court when necessary. 11 U.S.C. § 333(a)(1). Both duties require the PCO to determine whether: (i) the debtor is taking reasonably sufficient precautions to protect the privacy and security of patient medical records; and (ii) the debtor is able to make the patients’ medical records available to the patients and for treatment purposes. Performance of both the monitoring and advocacy duties indisputably requires me to have some access to patients’ medical records and healthcare-related information. Indeed, the Bankruptcy Code expressly contemplates PCO interviews of patients and clinicians (11 U.S.C. § 333(b)(1)), which ineluctably require the PCO’s access and exposure to such healthcare information. However, most of the healthcare-related information to which a PCO must have access is robustly protected by various federal and state data privacy laws. Consequently, even to set up and conduct the interviews expressly contemplated by § 333(b)(1) of the Bankruptcy Code, PCOs face significant gatekeeping roadblocks to obtaining the necessary healthcare-related information.

The first roadblock to a PCO’s access to patient medical records is set forth in § 333(c) of the Bankruptcy Code and Bankruptcy Rule 2015.5, which condition a PCO’s access to a patient’s medical records on obtaining an order of the Bankruptcy Court authorizing such access. The second roadblock stems from the various federal and state laws restricting access to patient medical records. In the case of the PCO in the NPHS case, authorizing such access required consideration of the following federal and Pennsylvania state laws:

    • The Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. § 1320, et seq. (HIPAA), as amended and expanded by the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009;
    • 42 U.S.C. § 290dd-2 (which governs the confidentiality of substance abuse treatment records);
    • The Federal Confidentiality of Alcohol and Drug Abuse Patient Records regulations found at 42 C.F.R., Part 2 (particularly 45 CFR §§ 2.1 through 2.3, 2.61 and 2.64) (commonly called the “Part 2 Regulations” or just “Part 2”);
    • The Pennsylvania Mental Health Procedures Act (50 P.S. §§ 5100, et seq.); and
  • the Pennsylvania Drug and Alcohol Abuse control Act (71 P.S. § 1690.108).

None of those statutes expressly authorize a debtor-healthcare provider to accord a PCO access to the specific patient medical records they protect. Unfortunately, the very procedure provided to a PCO by the Bankruptcy Rules for obtaining access to patient medical records – a motion on notice to interested parties, including patients – arguably requires the PCO to violate at least the HIPAA Privacy Rule (45 C.F.R. §§ 164.501, et seq.) by accessing and using the names and addresses of patients for notice purposes even before the PCO has the ability to access, let alone use, such information.

The specific challenges I faced in obtaining access to NPHS’s patient medical records, the means by which I addressed them, and takeaways from my service as PCO in the NPHS case are addressed below.

HIPAA/HITECH Considerations

HIPAA, as amended, HITECH, and the HIPAA Privacy Rule protect so-called “protected health information” (PHI). PHI1 consists of any information or data (including demographic data) relating to an individual’s current or prior physical or mental health or the provision of or payment for healthcare that identifies or could easily identify the individual. 45 C.F.R. § 160.103. In other words, PHI includes virtually all information concerning NPHS’s patients that I needed to perform my duties as PCO.

As noted above, neither HIPAA nor the HIPAA Privacy Rule authorizes the disclosure of PHI to a PCO. The HIPAA Privacy Rule does, however, permit “[a] covered entity to disclose [PHI] in the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal, provided that the covered entity discloses only the [PHI] expressly authorized by such order.” 45 C.F.R. § 164.512(e)(1)(i). As a provider of healthcare, NPHS is a “covered entity” for purposes of HIPAA. 45 C.F.R. § 160.103. Under HIPAA, therefore, I could obtain access to the PHI of NPHS’s patients by means of an order of the Bankruptcy Court. Unfortunately, neither HIPAA nor the HIPAA Privacy Rule provided any guidance for the Bankruptcy Court to determine the appropriate scope of an order providing me with access to the PHI of NPHS’s patients. Based in part on prior appointments as PCO, I was aware that bankruptcy courts, United States Trustees, debtors’ counsel, and creditors’ committees’ counsel, among others, were reluctant to accord PCOs with broad access to PHI. In my motion for access to PHI (hereafter, “PHI Access Motion”), therefore, I endeavored to provide such guidance and to address those concerns.

To allay the anticipated concerns of the Bankruptcy Court, United States Trustee, and creditors’ committee in the NPHS case, I delineated in my PHI Access Motion the actual PHI to which I sought access. I also crafted a proposed form of order that carefully delineated the precise relief I sought by that motion. More specifically, I expressly limited my request for access to only the PHI I would need to perform my duties as PCO. To that end, the proposed form of Order limited my access to PHI to (i) a review of a small but representative sample of patient medical files to ensure completeness and currency and (ii) a more thorough review of the records of patients impacted by a demonstrated material decline in the quality of patient care and safety that required a report to the Bankruptcy Court and United States Trustee.

To further allay concerns on the part of the Bankruptcy Court, United States Trustee, or creditors’ committee, I characterized the access I sought to PHI as access for “healthcare operations” purposes. In that regard, the HIPAA Privacy Rule (at 45 C.F.R. § 164.502(a)(1)(ii)) authorizes a “covered entity” like NPHS to disclose PHI for its own healthcare operations without patient consent so long as permitted by 45 C.F.R. § 164.506. See Citizens for Health v. Leavitt, 428 F.3d 167, 173-74 (3d Cir. 2005), cert. den’d., 127 S. Ct. 43, 166 L.Ed.2d 251 (2006). HIPAA defines “healthcare operations,” in pertinent part, to include: (i) “conducting quality assessment and improvement activities;” and (ii) “evaluating practitioner and provider performance.” 45 C.F.R. § 164.501. Because my duties as PCO expressly included monitoring the quality of the patient care and safety provided by NPHS, my duties perforce constituted “quality assessment activities” and the “evaluation of practitioner and provider performance.” Consequently, although I was not retained as a PCO by NPHS but was appointed as PCO in the NPHS bankruptcy case by the United States Trustee upon the direction of the Bankruptcy Court to provide those services, by analogy at least, the quality assessment and performance evaluation activities I performed as PCO fell squarely within “healthcare operations.”

Behavioral and Mental Health Treatment Considerations

As noted above, federal and state statutes and regulations provide protections over and above those provided by HIPAA/HITECH and the HIPAA Privacy Rule for information concerning the treatment of mental illness and substance abuse disorders. Those statutes and regulations strictly restrict access to such information in the absence of affirmative patient consent. However, those statutes and regulations also contain limited exceptions to those restrictions.

Federal Law: Pursuant to 42 U.S.C. § 290dd-2(b)(A), confidential records concerning the treatment of substance abuse disorders may be disclosed, even without the consent of the patient, to “qualified personnel for the purpose of conducting . . . program evaluations, but such personnel may not identify directly or indirectly, any individual patient in any report . . . or otherwise disclose patient identities in any manner.” Section 290dd-2(b)(A) does not, by its terms, authorize disclosure of information to PCOs in bankruptcy cases. However, in my PHI Access Motion, I argued by analogy that, for purposes of 42 U.S.C. § 290dd-2(b)(A), a PCO constitutes “qualified personnel” to whom confidential records may be disclosed for the limited purpose of reviewing a sample of patient records to determine their completeness and currency, with such access being analogous to the program evaluation contemplated by the statute.

42 U.S.C. § 290dd-2(b)(C) also authorizes courts to direct the disclosure of PHI to, inter alia, avert a substantial risk of death or serious bodily harm. In that regard, as PCO, I was obligated to advise the Bankruptcy Court of any significant decline in or material compromise of the quality of the care and safety of the NPHS’s patients to which I became aware, even if it was not time to file one of my periodic reports. 11 U.S.C. § 333(b)(3). For that reason, I contended in my PHI Access Motion that, to perform my duties as PCO, which indisputably include taking action to avert risk of death or serious bodily harm, I was entitled to access to PHI to the extent necessary to meet my statutory duty of advising the Court of a significant decline in or material compromise of the quality of the care of NPHS’s patients.

Pennsylvania Law: As do the foregoing federal authorities, 71 P.S. § 1690.108 prohibits the disclosure of confidential information concerning substance abuse treatment. 71 P.S. § 1690.108(b). The statute allows the disclosure of such confidential information upon order of the Pennsylvania Court of Common Pleas for purposes “unrelated to . . . treatment” for “good cause.” Id. In determining whether good cause for disclosure exists, the court shall weigh the need for the information sought to be disclosed against the possible harm of disclosure to the person to whom such information obtains, the physician-patient relationship, and the treatment services, and may condition disclosure of the information upon appropriate safeguards. Id. In my PHI Access Motion, I submitted that a balance of the harms delineated in 71 P.S. § 1690.108(b) weighed in favor of granting me as PCO access to (i) a sample of patient medical records for the limited purpose of determining their completeness and currency, and (ii) those patient medical records whose review was necessary for me to prepare a report advising the Court of a significant decline in or material compromise of the quality of patient care and safety at NPHS’s facilities. Concerns over disclosure could be further allayed by my anonymizing all PHI I included in my PCO reports.

Similarly, the Pennsylvania Mental Health Procedures Act (55 Pa. Code. § 5100, et seq.) strictly protects the privacy and security of mental health treatment and provides limited and appropriate exceptions. Mental health treatment information may be disclosed, however, even without the patient’s consent, in response to a court order. 55 Pa. Code § 5100.32(a)(7). To provide the Bankruptcy Court with guidance on the extent to which I should be allowed access to NPHS’s patients’ mental health treatment records, I limited the access to PHI I requested to: (i) the review of a small but representative sampling of patient medical records for the limited purpose of assuring that they are complete and current, and/or, if I received evidence indicating a significant decline in or material compromise of the quality of patient care’ and (ii) a review of the medical records of patients impacted by a material decline in the quality of patient care or safety to permit me to make the filings with the Bankruptcy Court required under 11 U.S.C. § 333(b)(3) in such situations.

PHI Access Order

In line with the statutes and regulations discussed above, the proposed form of order I submitted with my PHI access motion carefully limited my access to PHI and included the following protections for NPHS’s patients.

    • Access, Use, and Disclosure: My access to and use and disclosure of PHI was limited to what was necessary to perform my duties as PCO to prepare my PCO reports.
    • Minimum Necessary: NPHS was directed to provide me with only the minimum amount of PHI necessary to fulfill my duties as PCO.
    • Reports and Motions: PHI had to be de-identified in any reports or motions I filed in the performance of my duties as PCO.
    • Appropriate Safeguards: I agreed on my own behalf and on behalf of any of my agents to properly safeguard the privacy and security of any PHI I received in the course of performing my duties as PCO and that I could not be compelled to disclose such PHI absent authorization by the Bankruptcy Court.
    • Removal of PHI from NPHS’s Premises or Copying PHI: I agreed to a general prohibition against removing PHI from NPHS’s premises or copying it.
  • Reporting and Mitigation: I agreed to report breaches concerning the PHI and to mitigate to the extent reasonable any such breaches.

The Bankruptcy Court approved my proposed form of Order, and its provisions proved workable and effective throughout my tenure as PCO. I successfully completed my appointment as PCO in the NPHS case, in part because I understood the limitations on my access to PHI.


In addition to the challenges faced in obtaining access to PHI, my experience as PCO in the NPHS bankruptcy provides the following takeaways:

    • Providers of mental and/or behavioral health (including substance abuse treatment) in bankruptcy cases are subject to numerous industry-specific federal and state data protection laws, including, but by no means limited to, HIPAA/HITECH and the HIPAA Privacy Rule.
    • Although they are facially directly applicable only to the healthcare debtor, those laws do impact a PCO’s performance of his or her duties, and the PCO must be aware of them and comply with them.
    • The PCO must also understand that bankruptcy judges and counsel for the debtors, creditors, and creditors’ committees may have serious concerns about authorizing access to PHI and may not understand those laws well. The PCO must, therefore, demonstrate that he or she does not seek any more access to PHI than is necessary to perform the obligations of a PCO.
    • None of the healthcare data protection laws contemplate a PCO’s access to PHI. To obtain access to PHI, a PCO must provide arguments by analogy.
  • The PCO must work closely with the United States Trustee and, to the extent practicable, counsel for the debtor, creditors, and creditors’ committee in addressing the scope of the PCO’s access to PHI.

I am currently serving as the PCO in another behavioral and mental healthcare provider bankruptcy and anticipate writing further articles on the role of and challenges to PCOs in mental and behavioral healthcare provider bankruptcies.

If you have questions concerning this article, please contact me at either (973) 596-4523 or dcrapo@gibbonslaw.com.

1 Not all healthcare data privacy statutes and regulations utilize the phrase “protected health information” to identify the information they protect. For purposes of this article, however, I will use the term “PHI” to include all patient medical information to which I sought access as PCO, regardless of the applicable statute or regulation.