A HIPAA subpoena for medical records is an area where there is considerable potential for a HIPAA violation. When healthcare organizations receive a subpoena for medical records, how should they respond?
Subpoenas are often used by attorneys to gain access to information critical to a legal case or to compel an individual to testify. A subpoena is often used by attorneys to obtain a patient’s medical records for use in a personal injury claim, medical malpractice claim, or a different type of civil lawsuit.
If a valid subpoena for medical records is received by a HIPAA-covered entity, the request cannot be ignored and a prompt response is required to avoid contempt sanctions, but care should be taken responding to the subpoena as there is considerable potential for a HIPAA violation. Providing a patient’s medical records in response to a subpoena could constitute an unauthorized disclosure of protected health information (PHI), and that could result in a financial penalty for the covered entity for noncompliance.
It is important to note here that while the HIPA Privacy Rule generally requires written consent from a patient before medical records are disclosed for reasons other than treatment, payment, or healthcare operations, HIPAA authorizations are not required when disclosures are required by law. However, it is advisable to inform the patient promptly about such a disclosure. It is then the responsibility of the patient to oppose such a disclosure, should they so wish.
HIPAA Subpoena for Medical Records: Conditions That Must be Met
If you receive a subpoena for medical records, the first step is to check the validity of the subpoena. If the subpoena is not valid, a response is not required. Seek legal advice on whether the subpoena is valid.
There are different types of subpoena depending on the issuer. These fall into two main categories:
1. Court orders, court-issued subpoenas, and grand jury subpoenas
If the subpoena is signed by a judge or magistrate, has been issued as part of an administrative tribunal or a grand jury subpoena, the request must be honored and health information must be provided, although it is possible to object to by writing to the court specifying the grounds for objection.
If there is no objection, a healthcare provider or health plan is only permitted to disclose the information specifically stated in the court order and no more. If additional information is provided, that would be classed as an impermissible disclosure of PHI. For example, if a request is made for medical records for a specific date, the whole medical record should not be supplied. Information such as Social Security number, address, telephone number, etc. should be redacted if that information is not required to comply with the subpoena.
2. Subpoenas issued by attorneys or legal discovery requests
If a valid subpoena is signed by an attorney or a court clerk, HIPAA permits the disclosure of medical records if one of the following three conditions is met:
- A written statement and accompanying documentation are received from the person issuing the subpoena demonstrating a good faith attempt was made to provide written notice of the subpoena to the patient or his or her legal representative; the notice included sufficient information to inform the patient that they have the right to object to the subpoena; the time for objecting the subpoena has passed and the patient did not object to the subpoena or an objection was satisfactorily resolved by the court.
- A written statement and accompanying documentation are received from the person issuing the subpoena demonstrating all parties to the lawsuit have agreed to a qualified protective order to maintain the confidentiality of the supplied information or that such an order has been requested. The qualified protective order limits the use of the information solely to the lawsuit and requires all information to be destroyed or returned when the lawsuit ends.
- The covered entity makes reasonable efforts to notify the patient, stating a response is required by law, and the patient is informed of his/her right to object to the disclosure of their PHI and the patient fails to notify the covered entity that the subpoena has been set aside before the deadline for responding. The covered entity can also object to the subpoena.
- A valid HIPAA authorization is obtained from the patient authorizing the covered entity to release his/her medical records and comply with the subpoena. In such cases, the information disclosed must still be limited to the information specifically requested in the subpoena.
Details of these requirements can be found in Title 45 of the Code of Federal Regulations, sections 164.512(c)(1)(ii); (e)(1)(iii)-(vi).
It is important to note that if one of the above conditions is not satisfied, PHI cannot be provided and a court order is required, but the subpoena cannot simply be ignored. An objection should be made to the party issuing the subpoena on the grounds of HIPAA. Legal advice should be sought.
If responding, do not do so before the date and time specified on the subpoena as the patient may need that time in order to quash the subpoena. Also make sure that you log any requests along with the actions taken in response to the subpoena, along with the information provided.