By: Raj Shah, Esq. at MagMutual
Executive summary:
Responding correctly to a subpoena for a patient’s medical records depends upon the authority of the subpoena, the scope of the request and the time given to fulfill the request. Incorrect responses by a healthcare organization can open the door to a serious HIPAA violation. Additional scrutiny is required for subpoenas for medical records of a deceased patient and for a patient’s psychotherapy notes.
Recommended actions:
- Consider the subpoena’s authority — whether the request is issued by a court or signed by an attorney.
- Determine the exact scope of the patient information sought. You must avoid providing more information than necessary to comply with the subpoena.
- Consider whether other laws in addition to HIPAA limit the requested disclosure, such as any state-specific law limiting disclosures for mental health or drug/alcohol treatment records.
- Ensure that psychotherapy notes receive a heightened level of protection and are only disclosed when necessary.
Healthcare providers are aware that HIPAA and state privacy laws restrict the disclosure of protected health information (PHI) to third parties. If a request for medical records comes via subpoena, discovery request or any other court order, the provider must not ignore it. However, the consequences of responding incorrectly to a request can be even more severe than those of ignoring it altogether. Once a subpoena is received, don’t ignore it, but also don’t immediately disclose the records, as you could be in violation of HIPAA or state privacy laws and face severe penalties.
This article offers guidance about what to do and what not to do after being served with a subpoena or request for documents including PHI.
Step 1: Check if the Request Is Signed by a Judge
If you receive a court order or a subpoena that is signed by a judge, magistrate or administrative tribunal, or is a grand jury subpoena, you must disclose the requested information. However, remember to disclose only the information expressly requested, and nothing more.
For example, if the subpoena asks for records relating to a specific date of service, only send records from that day and not the patient’s whole record. (If the document you received meets these criteria, there is no need to go on to the other steps, but additional information is available at the end of this document.)
Practical advice: Look specifically for a checkbox or judge’s signature on the subpoena form to confirm that it’s signed by a judge and not the court clerk or attorney. The judge’s name should also be listed in print next to the signature.
Step 2: Check if the Request Is from Another Party
A subpoena or discovery request signed by someone other than a judge, magistrate or administrative tribunal – most likely a court clerk or an attorney – is not a court order. A subpoena signed by an attorney or a court clerk requires additional assurances under HIPAA. If you receive a subpoena or discovery request that is signed by an attorney or court clerk, you cannot disclose information unless one of the following conditions is satisfied:
Provider must receive a written statement and accompanying documentation from the attorney issuing the subpoena demonstrating that:
- A good faith attempt was made to provide written notice of the subpoena to the patient or his or her attorney (this can be satisfied by a cover letter accompanying the request that patient’s attorney was notified via a carbon copy);
- The written notice included sufficient information to allow the patient to raise an objection to the subpoena;
- The time for objecting to the subpoena has passed; and
- The patient did not object to the subpoena or that any objections by the patient were adequately resolved by the court.
Provider makes reasonable efforts to provide notice of the subpoena to the patient and the patient does not object to the release of their PHI.
Examples of reasonable efforts to notify the patient include calling the patient or sending the patient a letter via mail or email explaining that you’ve received a subpoena requesting disclosure of their protected health information. The communication needs to indicate that you, the provider, are required to respond unless a) the patient has the subpoena set aside before the time for responding has expired and b) notifies you that the subpoena has been set aside.
Provider may obtain a valid authorization form signed by the patient for the release of records.
This is the provider’s HIPAA authorization that patients in the office routinely sign to obtain their PHI. To be valid, the authorization form must contain the elements and statements required by the HIPAA Privacy Rule. The form also must be signed by the appropriate person, which may be the patient or may be the patient’s personal representative (if, for example, the patient is a child or an incapacitated adult).
Practical advice: If a subpoena is accompanied by an authorization or other document labeled “release” or “waiver” or something similar, do not use it. Some of the elements of an authorization that make it HIPAA-compliant are not intuitive and may be left out of a form prepared by a person (even an attorney) who is unaccustomed to working with HIPAA. If you receive a subpoena with an attached authorization for the patient to sign, use your practice’s HIPAA authorization form instead.
Provider must receive a written statement and supporting documentation demonstrating:
- That the parties have agreed on a qualified protective order, which limits use of the requested PHI to the lawsuit; or
- That the party seeking the information has filed for a qualified protective order.
Provider makes reasonable efforts to obtain a qualified protective order.
If the provider cannot satisfy one of these five conditions, they may not disclose the requested PHI, but neither may they ignore the subpoena without subjecting themselves to possible contempt sanctions. Staff members should notify their supervisors if one of these conditions is not met. Supervisors will be able to contact the organization’s attorney or a risk consultant at MagMutual who can provide guidance.
Step 3: See What Information Is Being Requested
After determining that an attorney-signed subpoena is valid, look at what information is being requested and be sure to provide only what was requested. In most states, for example, a subpoena must specifically ask for specially protected records such as those related to mental health and substance abuse. A subpoena asking for all of a patient’s medical records would not be sufficient to obtain those documents. See the examples below.
General request for entire record
If the subpoena is for a patient’s entire medical record, release the record except for specially protected records. Specially protected records include mental health records; drug/alcohol treatment records; psychotherapy notes; testing for or treatment of HIV, AIDS and STDs; and mental health, behavioral health or treatment records for substance abuse programs. If you are unsure if a part of the record is specially protected, ask a supervisor.
Practical Advice: Remember when communicating with the party seeking the record, even mentioning the existence of this highly sensitive PHI could be a HIPAA violation. For example, do not say, “We can send over the record except for the HIV treatment information.”
Requests for specially protected records
If the request includes specially protected records, those records can only be released under one of the following conditions:
A court order signed by a judge specifically ordering the records related to the specially protected areas; or
A valid authorization signed by the patient specifically authorizing the practice to release that portion of the record.
Step 4: Watch and Diary the Calendar
Once you know which records to send, pay attention to the calendar. Note the date by which the records are required, which sometimes can be too soon for the provider to comply. A short deadline also doesn’t allow enough time if the patient must be contacted for authorization or for the patient to object to the subpoena. It is not unusual for a subpoena to request that records be delivered within a week.
If the time to respond seems too short, contact your supervisor. If no time to respond to the subpoena is listed, you should respond after 21 days (ideally between 21 and 25 days). Remember, do not immediately respond even if it is a valid subpoena. This gives the patient time to sign an authorization or file an objection.
General Checklist for Responding to a Subpoena Requesting Protected Health Information
This checklist summarizes the steps to take to comply with a subpoena while at the same time protecting patient privacy and confidentiality. A provider should do the following:
- Confirm that the subpoena is valid (if it’s from an out-of-state court, it’s probably invalid).
- Identify who signed the subpoena (e.g., judge, administrative agency, attorney, court clerk).
- If the subpoena is signed by an attorney, contact the party issuing the subpoena to obtain satisfactory written assurances or a qualified protective order.
- When the subpoena is requesting records relating to a limited number of patients, notify the patients whose records are being sought as already outlined and/or determine whether the patients will provide a valid HIPAA authorization. (Remember you can use either a MagMutual authorization form or your practice’s existing authorization form.)
- If there are any questions about whether or which documents can be produced, ask your supervisor.
- Consider whether other laws in addition to HIPAA limit disclosures (e.g., state law limits on disclosures for mental health records and drug/alcohol treatment records).
Considerations for Deceased Patients
If a subpoena requests the medical records of a deceased patient, the same rules listed above apply, except that any authorization must be given by a “personal representative” of the deceased patient.
The executor of the patient’s estate is a personal representative and may sign the authorization as well as be substituted for the deceased patient for the purpose of notice or qualified protective orders. The patient may also sign a HIPAA release before death that designates an individual’s access to their PHI.
Family members or individuals involved in the patient’s care may also be personal representatives if the request is relevant to their involvement in the patient’s care, unless releasing the records is against the preference of the deceased patient.
Considerations for Psychotherapy Notes
It is important to note that a subpoena request for “all medical records” does not include psychotherapy notes, as they are subject to special protections from release. A practice should refrain from releasing psychotherapy notes when sending the patient’s medical record unless you have a court order (not a subpoena signed by a lawyer) that specifically requests them.
It’s also important to note that “psychiatric notes” are not given the same protections as psychotherapy notes. Instead, psychiatric notes must be sent along with the records when responding to a subpoena request for the medical records of a patient.
Additional Questions
If you have further questions or need sample policies, please visit the MagMutual HIPAA Toolkit, contact MagMutual at 1-800-282-4882 or via questions@magmutual.com to be connected to an on-call risk consultant.
Lessons Learned
- Disclose information only to the extent expressly requested.
- Contact the party issuing the subpoena by both phone and email to obtain satisfactory written assurances and document the process.
- Omit disclosure of a patient’s psychotherapy notes unless there is a valid court order.
- Use either a MagMutual HIPAA authorization form or your practice’s existing form.
Potential Damages
While HIPAA fines can be severe, with a maximum penalty of $50,000 per violation, the frequency of penalty is extremely low. In fact, MagMutual’s data indicates that MagMutual policyholders have not encountered any losses from HIPAA violations related to responding to a medical record subpoena.