A HIPAA subpoena for medical records is an area where there is considerable potential for a HIPAA violation. When healthcare organizations receive a subpoena for medical records, how should they respond?
Subpoenas are used by attorneys to gain access to information critical to a legal case (“deposition subpoena”) or to compel an individual to testify (“witness subpoena”). Deposition subpoenas can be used by attorneys to obtain a patient’s medical records for use in a personal injury claim, medical malpractice claim, or a different type of civil lawsuit. Courts can also issue a HIPAA subpoena for medical records (“subpoena duces tecum”) which requires the recipient to produce evidence or testify at a court hearing.
If a valid subpoena for medical records is received by a HIPAA-covered entity, the request cannot be ignored and a prompt response is required to avoid contempt sanctions, but care should be taken responding to the subpoena as there is considerable potential for a HIPAA violation. Providing a patient’s medical records in response to a subpoena could constitute an unauthorized disclosure of protected health information (PHI), and that could result in a financial penalty for the covered entity for noncompliance.
It is important to note here that while the HIPA Privacy Rule generally requires written consent from a patient before medical records are disclosed for reasons other than treatment, payment, or healthcare operations, HIPAA authorizations are not required when disclosures are required by law. However, it is advisable to inform the patient promptly about such a disclosure. It is then the responsibility of the patient to oppose such a disclosure, should they so wish.
HIPAA Subpoena for Medical Records: Conditions That Must be Met
If you receive a subpoena for medical records, the first step is to check the validity of the subpoena. If the subpoena is not valid, a response is not required. Seek legal advice on whether the subpoena is valid.
There are different types of subpoena depending on the issuer. These fall into two main categories:
1. Court orders, court-issued subpoenas, and grand jury subpoenas
If the subpoena is signed by a judge or magistrate, has been issued as part of an administrative tribunal or a grand jury subpoena, the request must be honored and health information must be provided, although it is possible to object to by writing to the court specifying the grounds for objection.
If there is no objection, a healthcare provider or health plan is only permitted to disclose the information specifically stated in the court order and no more. If additional information is provided, that would be classed as an impermissible disclosure of PHI. For example, if a request is made for medical records for a specific date, the whole medical record should not be supplied. Information such as Social Security number, address, telephone number, etc. should be redacted if that information is not required to comply with the subpoena.
2. Subpoenas issued by attorneys or legal discovery requests
If a valid subpoena is signed by an attorney or a court clerk, HIPAA permits the disclosure of medical records if one of the following conditions is met:
- A written statement and accompanying documentation are received from the person issuing the subpoena demonstrating a good faith attempt was made to provide written notice of the subpoena to the patient or his or her legal representative; the notice included sufficient information to inform the patient that they have the right to object to the subpoena; the time for objecting the subpoena has passed and the patient did not object to the subpoena or an objection was satisfactorily resolved by the court.
- A written statement and accompanying documentation are received from the person issuing the subpoena demonstrating all parties to the lawsuit have agreed to a qualified protective order to maintain the confidentiality of the supplied information or that such an order has been requested. The qualified protective order limits the use of the information solely to the lawsuit and requires all information to be destroyed or returned when the lawsuit ends.
- The covered entity makes reasonable efforts to notify the patient, stating a response is required by law, and the patient is informed of his/her right to object to the disclosure of their PHI and the patient fails to notify the covered entity that the subpoena has been set aside before the deadline for responding. The covered entity can also object to the subpoena.
- A valid HIPAA authorization is obtained from the patient authorizing the covered entity to release his/her medical records and comply with the subpoena. In such cases, the information disclosed must still be limited to the information specifically requested in the subpoena.
Details of these requirements can be found in Title 45 of the Code of Federal Regulations, sections 164.512(c)(1)(ii); (e)(1)(iii)-(vi).
It is important to note that if one of the above conditions is not satisfied, PHI cannot be provided and a court order is required, but the subpoena cannot simply be ignored. An objection should be made to the party issuing the subpoena on the grounds of:
- It does not allow reasonable time for compliance;
- It requires disclosure of privileged or protected matter and there is no applicable exception or waiver;
- It imposes an undue burden on the party subpoenaed;
- It is unreasonable or oppressive; or
- It is procedurally defective.
Please note that in different states, different causes for objection – or exception to the above – may exist. Time limits to file an objection may also differ by state. Legal advice should be sought on HIPAA subpoenas for medical records before disclosing any Protected Health Information.
Finally, if responding, do not do so before the date and time specified on the subpoena as the patient may need that time in order to quash the subpoena. If not date is specified, a response should be delayed until at least three weeks following the receipt of the HIPAA subpoena for medical records. Also make sure you log any requests along with the actions taken in response to the subpoena, along with the information provided.
Medical Records and HIPAA Subpoenas: FAQ
Does the HIPAA Privacy Rule apply when PHI is subpoenaed?
The HIPAA Privacy Rule does still apply, as it lays out the scenarios under which PHI can be handed over if it is subpoenaed. Additionally, in the case of subpoenas, the healthcare provider or health plan should try and inform the relevant patients (giving them a chance to object) and ensure that the PHI will be protected once handed over. This can be done by obtaining a qualified protection order.
What is the difference between a subpoena and a court order?
Court orders are issued by judges or administrative tribunals. Subpoenas are special types of court orders that are not issued by judges but instead by court clerks, attorneys, or other qualified individuals. They have different consequences in terms of HIPAA compliance. If a HIPAA covered entity (CE) receives a court order to hand over PHI, they must comply. If the information is subpoenaed, it can only be handed over under certain circumstances.
How can patient privacy be maintained if PHI is subpoenaed?
Covered entities should ensure that only the information requested in the subpoena is disclosed. If it only relates to a certain period of time, specific diagnostic tests, a particular condition etc., then only those parts of a patient’s medical record should be handed over. Additionally, where possible, HIPAA identifiers should be removed from the information. Qualified protection orders can also be obtained from the court to protect information.
Can CEs object to subpoenas?
Generally, yes, objections to subpoenas of PHI can be made. However, what are considered grounds for objection will depend on State laws. Additionally, if the subpoena was signed by a clerk or an attorney, the patients who the PHI refers to should be given the opportunity to object.