We are frequently approached by healthcare providers who have received a subpoena demanding patient records for a lawsuit to which the healthcare provider is not a party. Attorneys often use subpoenas to obtain medical records in a variety of civil suits including employment law, personal injury, and medical malpractice claims.
These subpoenas often arrive without warning and demand extensive productions on a tight deadline. Although most healthcare professionals are generally aware of the Health Insurance Portability and Accountability Act (HIPAA) and its requirements regarding the disclosure of Protected Health Information (PHI), far fewer are aware of how HIPAA operates in the context of a subpoena.
Under HIPAA, health information refers to any information that is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university; and health care clearinghouse, that relates to:
- the past, present, or future physical or mental health of an individual;
- the provision of health care to an individual; or
- the past, present, or future payment for the provision of health care to an individual.[1]
Subject to certain exceptions, PHI refers to individually identifiable health information that has been transmitted or maintained in any form or medium, electronic or otherwise.[2]
Although HIPAA includes numerous restrictions (and exceptions to those restrictions) on the disclosure of PHI, a covered entity may generally only disclose PHI about an individual:
- to that individual;
- for the provision of healthcare services to that individual; or
- pursuant to the authorization of that individual.[3]
Subpoena Requests & HIPAA
The Subpoena Includes Pre-Authorization
Subpoenas for medical records frequently include HIPAA authorization from the relevant patient permitting the requested disclosure. However, it is important to carefully review the language of the authorization to ensure that it meets the requirements of applicable state and federal law. This review must be done on a case-by-case basis and the analysis may vary based on the specific subject matter of the medical records being requested.
The Subpoena Does Not Include Authorization or Is Too Extensive
When the subpoena does not have an accompanying authorization or involve the production of too many patients’ records to realistically obtain consent from each individual. Under these circumstances, HIPAA specifically outlines when PHI can be used and disclosed without the relevant patient’s authorization or opportunity to agree or object, such as when responding to a non-party subpoena.[4]
The Subpoena is Non-Party
In some cases, the subpoena may be served with an order by a court or administrative tribunal. In these circumstances, the subpoenaed party may disclose the PHI without obtaining patient approval.[5] However, the covered entity is only allowed to disclose PHI to the extent they have been expressly authorized to do so by the order.[6] Therefore, it is important to understand the nature and scope of the order authorizing disclosure before producing any records.
Unfortunately, in our experience, the non-party subpoena is usually not served with an accompanying order authorizing the disclosure. Under these circumstances, HIPAA provides that a covered entity may disclose PHI if:
- the covered entity receives satisfactory assurance from the party issuing the subpoena that reasonable efforts have been made to ensure that the patient whose protected health information has been requested was given notice of the request; or
- the covered entity receives satisfactory assurance from the party issuing the subpoena that reasonable efforts have been made by such party to secure a qualified protective order.[7]
Under either option, “satisfactory assurance” and “qualified protective order” are defined terms that have specific compliance requirements outlined under HIPAA.[8]
For instance, “satisfactory assurance” under the first requirement entails a written statement and accompanying documentation showing that:
- The party requesting the information has made a good-faith attempt to provide written notice to the patient;
- The notice includes sufficient information about the litigation involving the PHI request to allow the patient to raise objections; and
- The time for the patient to raise objections has expired, and:
- No objections were filed by the patient; or
- All patient objections were resolved by the court.[9]
Similarly, “satisfactory assurance” under the second requirement also entails a written statement and accompanying documentation but instead, there must be a showing that:
- The parties to the dispute giving rise to the subpoena have agreed to a qualified protective order and have presented it to the court; or
- The party requesting the PHI has requested a qualified protective order from such court.[10]
A “qualified protected order” prohibits the parties from using or disclosing the PHI for purposes other than the litigation and requires the return or destruction of the PHI at the end of the litigation.[11]
Ensuring compliance with these requirements involves the review of various statements and accompanying documentation made by the party requesting the PHI.
There is a third option for complying with HIPAA in the face of a non-party subpoena requesting PHI. Under this alternate method, a covered entity may disclose PHI in response to a subpoena if the covered entity makes “reasonable efforts” to provide sufficient notice to the patient whose records have been requested or by seeking a “qualified protected order.”[12] Like the previous option for HIPAA compliance, both “reasonable efforts” and “qualified protective order” have the same specific requirements that must be satisfied in order to provide a safe harbor for disclosure of the requested PHI.
It is critical that you do not ignore a valid subpoena since failure to respond in a timely manner may subject you to contempt sanctions. In any event, it is important to understand your options and obligations when either you or your organization has received a subpoena demanding the production of PHI. Improper disclosure of PHI can carry significant penalties and expose you or your organization to fines and potential litigation. Reach out to a medical malpractice attorney to learn how to protect yourself or your organization from unintentional missteps.
[1] 45 C.F.R. § 160.103.
[2] Id.
[3] 45 C.F.R. § 164.502.
[4] 45 C.F.R. § 164.512.
[5] Id. § 164.512(e)(1)(i).
[6] Id.
[7] Id. § 164.512(e)(ii).
[8] Id. § 164.512(e)(1)(vi).
[9] Id. § 164.512(e)(1)(iii).
[10] Id. § 164.512(e)(1)(iv).
[11] Id. § 164.512(e)(1)(v).
[12] Id. § 164.512(e)(1)(vi).