Medical records win and lose civil cases. They corroborate testimony, quantify damages, and often compel early settlements. However, medical records are protected by the federal Health Insurance Portability and Accountability Act (HIPAA) and, in many states, by state-level health privacy protections as well. For this reason, litigators seeking medical records during pretrial discovery encounter hurdles not usually presented by other types of discovery materials.
Yes, HIPAA’s privacy protections do not strictly apply to lawyers requesting medical records for use in civil litigation. And, yes, HIPAA’s privacy protections do not alter the scope of permissible discovery requests, which in the federal system allows parties to obtain non-privileged information relevant to any party’s claim or defense – provided the information sought is proportional to the needs of the case.
Litigators who address HIPAA’s privacy rules at intake — not at the point of a dispute — can gain weeks of strategic advantage.
HIPAA does, however, govern how a hospital or medical records custodian will respond to records requests. Their lawyers and administrators will be scrutinizing any request for records containing HIPAA-protected health information.
In the context of medical records requests, HIPAA’s privacy protections thus create procedural issues that should be addressed as early as possible in litigation, not left as something to be handled once discovery gets underway. Litigators who address HIPAA’s privacy rules at intake — not at the point of a dispute — can gain weeks of strategic advantage.
What HIPAA Requires
The HIPAA Privacy Rule, at 45 CFR Part 164, restricts “covered entities” — hospitals, physician practices, health plans, and healthcare clearinghouses — from releasing protected health information without patient consent. Section 164.512(e) carves out a specific exception for judicial and administrative proceedings. That exception rests on three lawful methods for obtaining records.
Method 1: Patient Authorization
This is the most common scenario in civil litigation. When a client seeks damages for physical or psychological injury, a signed patient authorization typically provides the fastest path to records. The authorization must comply with 45 CFR 164.508 and include:
- The specific information to be disclosed and the relevant date range
- The identity of the healthcare provider authorized to release records
- The identity of the person or firm authorized to receive them
- The purpose of the disclosure
- An expiration date
- A notice of the patient’s right to revoke consent
Health privacy experts advise litigators to draft patient authorizations narrowly, seeking only those records relevant to the litigation. This is commonly referred to as the “minimum necessary” standard. Overly broad requests give privacy-conscious medical providers grounds to push back, possibly causing delays in obtaining the records. Tailor patient authorizations to specific providers, treatment categories, and time periods.
Method 2: Court Order
Medical providers may release records immediately upon receiving a court order that expressly identifies the records to be produced. Litigators who expect contested discovery should consider seeking a court order early rather than relying on a subpoena alone.
Method 3: Subpoena with Satisfactory Assurances
Subpoenas remain the most common pretrial discovery tool, but a subpoena alone does not compel a HIPAA-compliant provider to divulge medical records. Before releasing records, the provider must receive “satisfactory assurances” in writing that one of two conditions has been satisfied:
- The requesting attorney made a good-faith effort to notify the patient, the notice gave the patient enough information to object, the objection period has elapsed, and no unresolved objections remain.
- The parties either entered a stipulated “qualified protective order” or the requesting attorney sought one from the trial court. A qualified protective order must include two elements that HIPAA treats as non-negotiable: (1) a strict use-limitation clause prohibiting any use of protected health information outside the specific proceeding, and (2) a return-or-destruction requirement obligating every party to return or destroy all protected health information at the proceeding’s conclusion.
When a records subpoena and satisfactory assurances documentation are served together, the medical provider who receives both simultaneously ordinarily will have no HIPAA-based grounds for delay.
Ethical Obligations Regarding Medical Records
Receiving medical records implicates several professional ethics considerations. The American Bar Association’s Model Rule of Professional Conduct Rule 1.1 obliges lawyers to competently navigate federal and state privacy protections surrounding medical records. Rule 1.6(c) requires attorneys to take reasonable measures against unauthorized disclosure of client confidential information. Attorneys who delegate records retrieval tasks to vendors retain supervisory responsibility under ABA Model Rule 5.3.
Late last year, the State Bar of Georgia concluded that litigators may, consistently with their ethical obligations, retain third-party vendors to assist in securing medical records. Georgia lawyers were advised that hiring a third-party vendor to obtain medical records is, from an ethical standpoint, the same as delegating any other type of legal work to a non-lawyer assistant.
Eight Steps for Getting Records Quickly
During early stages of civil litigation, the following eight measures should help litigators obtain necessary medical records in the shortest amount of time:
- Draft the qualified protective order at client intake. Do not wait for a discovery dispute. Draft the proposed order when the case file opens, using language that tracks Section 164.512(e) precisely.
- Check for model-qualified protective orders. Many federal district courts publish court-approved HIPAA-compliant qualified protective order templates. State courts often maintain similar forms.
- Seek a stipulation before filing a motion. Propose a stipulated qualified protective order to opposing counsel early. Most courts enter stipulated qualified protective orders without a hearing.
- Apply the “minimum necessary” standard. Specify date ranges, record categories, and treating providers by name.
