As part of the discovery or disclosure process, parties to a lawsuit often issue a subpoena to a medical provider for patient medical records. Federal law imposes HIPAA s ubpoena compliance requirements on the provider. These requirements can be found in the HIPAA Privacy Rule. The Privacy Rule regulates the use and disclosure of protected health information (PHI). PHI is health information in any form, including physical records, electronic records, or spoken information. To qualify as PHI, the information must be “individually identifiable health information” – information such as birth date and phone number that is unique to a patient.
Whether, and to what extent, a covered entity may disclose PHI in response to a subpoena issued during a court proceeding, depends upon the type of subpoena.
Different types of subpoenas, along with their corresponding HIPAA subpoena compliance obligations, are discussed below:
Subpoenas are generally issued either by a judge (including an administrative judge or administrative law judge) or an attorney in a case. Judge-issued subpoenas are often referred to as court orders. If a court issues a subpoena that demands production of medical information, the healthcare provider may divulge protected health information, but only that information that is specifically described in the order.
Attorney-issued subpoenas for medical records of a patient are accompanied by a HIPAA authorization from the patient that permits the requested disclosure.
The covered party may disclose information that is responsive to the subpoena, but only if it first satisfies its HIPAA subpoena compliance obligations. To satisfy these HIPAA subpoena requirements, the covered entity whose medical records are sought, must comply with the notification requirements of the Privacy Rule. Before responding to the subpoena, the provider or plan should receive evidence that there were reasonable efforts to either: 1) Notify the person who is the subject of the information about the PHI request, so the person has a chance to object to the disclosure, or 2) Seek a qualified protective order for the information from the court. Both of these options are discussed below.
The law requires that before a provider can respond to a subpoena for medical records by disclosing PHI, the provider must receive satisfactory assurance from the requesting party that reasonable efforts have been made by the requesting party to ensure that the patient who is the subject of the PHI has been given notice of the request.
Under the law, a covered entity receives satisfactory assurance from the party seeking the PHI, if the covered entity receives a written statement and other documentation from the requesting party demonstrating:
A qualified protective order is an order from a court, or of an administrative tribunal (e.g., a Department of Labor, or a Workers Compensation Board), or a stipulation (a signed agreement) by the parties to the litigation or administrative proceeding.
The qualified order, to meet HIPAA subpoena compliance requirements, must contain language that prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or administrative proceeding that is the subject of the subpoena
The qualified order must also, to meet HIPAA subpoena compliance requirements, require that all PHI (including all copies made) either be returned to the covered entity or be destroyed at the end of the litigation or proceeding.
