Regulation of Medicine
A Step-by-Step Guide for Responding to Medical Record Subpoenas
By Raj Shah, Esq.
December 26, 2019
Healthcare providers are aware that HIPAA and state privacy laws place restrictions on the disclosure of protected health information (PHI) to third parties. If a request for records comes via subpoena, discovery request or any other court order, the provider must not ignore it because a response is usually required. However, while you shouldn’t ignore the subpoena or discovery request, the consequences of responding incorrectly to a request can be even more severe than those of ignoring it altogether. Once a subpoena is received, DO NOT ignore it, but also DO NOT immediately disclose the records, as you could be in violation of HIPAA or state privacy laws and face severe penalties. This article offers guidance about what to do and what not to do after being served with a subpoena or request for documents including PHI.
Step 1: Check if the Request is Signed by a Judge
Court Orders, Court-Issued Subpoenas and Grand Jury Subpoenas. If you receive a court order or a subpoena that is signed by a judge, magistrate, administrative tribunal or a grand jury subpoena, you must disclose the requested information. Still, remember to disclose only the information expressly requested, and nothing more. For example, if the subpoena asks for records relating to a specific date of service, only send records from that day and not the patient’s whole record. (If the document you received meets these criteria, there is no need to go on to the other steps, but additional information is available at the end of this document.)
Practical Advice: Look specifically for a checkbox or judge’s signature on the subpoena form to confirm the subpoena is signed by a judge and not the court clerk or attorney. The judge’s name should also be listed in print next to the signature.
Step 2: Responding to Lawyer or Clerk Signed Requests
Attorney-Issued Subpoenas or Discovery Requests. A subpoena or discovery request signed by someone other than a judge, magistrate or administrative tribunal – most likely a court clerk or an attorney – is NOT a court order. A subpoena signed by an attorney or a court clerk requires additional assurances under HIPAA. If you receive a subpoena or discovery request that is signed by an attorney or court clerk, you can not disclose information unless one of the following conditions are satisfied:
- Provider must receive a written statement and accompanying documentation from the attorney issuing the subpoena demonstrating that:
- A good faith attempt was made to provide written notice of the subpoena to the patient or his or her attorney (this can be satisfied by a cover letter accompanying the request that that patient’s attorney was notified via a carbon copy);
- The written notice included sufficient information to allow the patient to raise an objection to the subpoena;
- The time for objecting to the subpoena has passed; and
- The patient did not object to the subpoena or that any objections by the patient were adequately resolved by the court.
- Provider makes reasonable efforts to provide notice of the subpoena to the patient and the patient does not make any objections to the release of their PHI.
- Examples of reasonable efforts to notify the patient include calling the patient or sending the patient a letter via mail or email explaining that you’ve received a subpoena requesting disclosure of their protected health information, and you are required to respond unless the patient has the subpoena set aside before the time for responding has expired and notifies you that the subpoena has been set aside.
- Provider may obtain a valid authorization form signed by the patient for the release of their records. This is the provider’s HIPAA authorization that patients in the office routinely sign to obtain their PHI. To be valid, the authorization form must contain the elements and statements required by the HIPAA Privacy Rule. The form also must be signed by the appropriate person, which may be the patient or may be the patient’s personal representative (if, for example, the patient is a child or an incapacitated adult).
Practical Advice: If a subpoena is accompanied by an authorization or other document labeled “release” or “waiver” or something similar DO NOT USE IT. Some of the elements of an authorization that make it HIPAA-compliant are not intuitive and may be left out of a form prepared by a person (even an attorney) who is unaccustomed to working with HIPAA. If you receive a subpoena with an attached authorization for the patient to sign, do not use it and use your practice’s HIPAA authorization form instead.
- Provider must receive a written statement and supporting documentation demonstrating:
- that the parties have agreed on a qualified protective order or
- that the party seeking the information has filed for a qualified protective order. A qualified protective order limits the use of the requested PHI to the lawsuit.
- Provider makes reasonable efforts to obtain a qualified protective order.
If for some reason the provider cannot satisfy one of these five conditions, they may not disclose the requested PHI, but neither may they ignore the subpoena without subjecting themselves to possible contempt sanctions. Staff members should notify their supervisors if one of these conditions are not met. The supervisors will be able to contact the organization’s attorney or a risk consultant at MagMutual who can provide guidance.
Step 3: See What Information is Being Requested
After determining the attorney-signed subpoena is valid, look at what information is being requested and be sure to provide only what was requested. In most states, for example, a subpoena must specifically ask for specially protected records such as those related to mental health and substance abuse. A subpoena asking for all of a patient’s medical records would not be sufficient to obtain those documents. See the examples below.
- General Request for Entire Record. If the subpoena is for a patient’s entire medical record, release the record except for specially protected records. Specially protected records include mental health records; drug/alcohol treatment records; psychotherapy notes; testing for or treatment of HIV, AIDS and STDs; and mental health, behavioral health or treatment records of substance abuse programs. If you are unsure if a part of the record is specially protected, ask a supervisor.
Practical Advice: Remember when communicating with the party seeking the record, even mentioning the existence of this highly sensitive PHI could be a HIPAA violation. For example, do not say, “We can send over the record except for the HIV treatment information.”
- Requests for Specially Protected Records. If the request specifically asks for specially protected records, they can only be released under one of the following conditions:
- A court order signed by a judge specifically ordering the records related to these specially protected areas; or
- A valid authorization signed by the patient specifically authorizing the practice to release that portion of the record.
Step 4: Watch and Diary the Calendar
Once you know which records to send, pay attention to the calendar. Note the date by which the records are required, which sometimes can be too soon for the provider to comply. A short deadline also doesn’t allow enough time if the patient must be contacted for authorization or for the patient to object to the subpoena. It is not unusual for a subpoena to request records be delivered within a week. If the time to respond seems too short, contact your supervisor. If no time to respond to the subpoena is listed, you should respond after 21 days (ideally between 21 and 25 days). Remember, do not immediately respond even if it is a valid subpoena. This gives the patient time to sign an authorization or file an objection.
General Checklist for Responding to a Subpoena Requesting Protected Health Information
These are steps to be taken to comply with a subpoena while at the same time protecting patient privacy and confidentiality. A provider should do the following:
- Confirm that the subpoena is valid (if it’s from an out-of-state court, it’s probably invalid)
- Identify who signed the subpoena (e.g., judge, administrative agency, attorney, court clerk)
- If the subpoena is signed by an attorney, contact the party issuing the subpoena to obtain satisfactory written assurances or a qualified protective order.
- When the subpoena is requesting records relating to a limited number of patients, notify the patients whose records are being sought as already outlined and/or determine whether the patients will provide a valid HIPAA authorization that complies with HIPAA. (Remember you can use either a MagMutual authorization form or your practice’s existing authorization form.)
- If there are any questions about whether or which documents can be produced, ask your supervisor.
- Consider whether other laws in addition to HIPAA limit disclosures (e.g., state law limits on disclosures for mental health records and drug/alcohol treatment records).
Considerations for Deceased Patients
If a subpoena is requesting the medical records of a deceased patient, the same rules listed above apply, except that any authorization must be given by a “personal representative” of the deceased patient. The executor of the patient’s estate is a “personal representative” and may sign the authorization as well as be substituted for the deceased patient for the purpose of notice or qualified protective orders. The patient may also sign a HIPAA release prior to death that designates an individual to have access to their PHI. Even if not an executor or specifically designated by a HIPAA authorization form, family members or individuals involved in the patient’s care may also be “personal representatives” if the request is relevant to their involvement in the patient’s care, unless releasing the records is against the preference of the deceased patient.
If you have further questions or need sample policies, please visit the MagMutual HIPAA Toolkit or you can contact MagMutual at 1-800-282-4882 or firstname.lastname@example.org to be connected to an on-call risk consultant.
The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.