We are frequently approached by health care providers who have received a subpoena demanding patient records for a lawsuit to which the health care provider is not a party. Often times these subpoenas arrive without warning and demand extensive productions on a tight deadline. Although most health care professionals are generally aware of HIPAA’s requirements regarding the disclosure of Protected Health Information (PHI), far fewer are aware of how HIPAA operates in the context of a subpoena.

Under HIPAA, Health Information refers to any information that is created or received by a health care provider, health plan, employer, or health care clearinghouse, that relates to:

1. the physical health of an individual;
2. the provision of health care to an individual;
3. the payment for the provision of health care to an individual.[1]

Subject to certain exceptions, PHI refers to individually identifiable Health Information that has been transmitted or maintained in any form or medium, electronic or otherwise.[2]

Although HIPAA includes numerous restrictions (and exceptions to those restrictions) on the disclosure of PHI, a covered entity may generally only disclose PHI about an individual:

1. to that individual;
2. for the provision of healthcare services to that individual; or
3. pursuant to the authorization of that individual.[3] 

Accordingly, subpoenas for medical records frequently include a HIPAA authorization from the relevant patient permitting the requested disclosure. However, it is important to carefully review the language of the authorization to ensure that it meets the requirements of applicable state and federal law. This review must be done on a case-by-case basis and the analysis may vary based on the specific subject matter of the medical records being requested.

However, we also regularly encounter subpoenas that either do not have an accompanying authorization or involve the production of too many patients’ records to realistically obtain consent from each individual. Under these circumstances, HIPAA specifically outlines when PHI can be used and disclosed without the relevant patient’s authorization or opportunity to agree or object, such as when responding to a non-party subpoena.[4] 

In some cases the subpoena may be served with an order by a court or administrative tribunal. In these circumstances, the subpoenaed party may disclose the PHI without obtaining patient approval.[5] However, the covered entity is only allowed to disclose PHI to the extent they have been expressly authorized to do so by the order. Therefore, it is important to understand the nature and scope of the order authorizing disclosure prior to producing any records.

Unfortunately, in our experience, the non-party subpoena is usually not served with an accompanying order authorizing disclosure. Under these circumstances, HIPAA provides that a covered entity may disclose PHI if:

1. the covered entity receives satisfactory assurance from the party issuing the subpoena that reasonable efforts have been made to ensure that the patient whose protected health information has been requested has been given notice of the request; or
2. the covered entity receives satisfactory assurance from the party issuing the subpoena that reasonable efforts have been made by such party to secure a qualified protective order.[6]  

Under either option, “satisfactory assurance” and “qualified protective order” are defined terms that have specific compliance requirements outlined under HIPAA.[7] Ensuring compliance with these requirements involves the review of various statements and accompanying documentation made by the party requesting the PHI.

There is a third option for complying with HIPAA in the face of a non-party subpoena requesting PHI. Under this alternate method, a covered entity may disclose PHI in response to a subpoena if the covered entity makes “reasonable efforts” to provide sufficient notice to the patient whose records have been requested or by seeking a “qualified protected order.”[8] Like the previous option for HIPAA compliance, both “reasonable efforts” and “qualified protective order” have specific requirements that must be satisfied in order to provide a safe harbor for disclosure of the requested PHI. 

In any event, it is important to understand your options and obligations when either you or your organization has received a subpoena demanding production of PHI. Improper disclosure of PHI can carry significant penalties and expose you or your organization to fines and potential litigation. Reach out to a licensed attorney to learn how to protect yourself or your organization from unintentional missteps.   

1. 45 C.F.R. § 160.103.
2. Id.
3. 45 C.F.R. § 164.502.
4. 45 C.F.R. § 164.512.
5. 45 C.F.R. § 164.512(e)(1)(i).
6. 45 C.F.R. § 164.512(e)(ii).
7. Id. [1] 45 C.F.R. § 164.512(e)(1)(vi).