Sheba Vine

Long-term care providers are charged with protecting a patient’s right to privacy when disclosing protected health information, but how is that accomplished when an attorney serves the provider with a federal subpoena for medical records? The answer is simple if you as the long-term care provider understand your obligations and liabilities under the law and exercise due diligence when answering such legal requests.

Subpoenas are commonly used by attorneys to obtain medical documents and information from third parties for a variety of civil lawsuits; from personal injury to employment law to medical malpractice claims. In the context of federal litigation, the subpoena power comes from Rule 45 of the Federal Rules of Civil Procedure. Rule 45 allows a subpoena to command oral testimony for deposition or trial purposes (subpoena ad testificandum), command the production or inspection of documents and information (subpoena duces tecum), or both. In the alternative, a subpoena may command the production or inspection of documents by a specified date in lieu of providing oral testimony. This article only addresses subpoenas for the production of documents. If you are subpoenaed to provide oral testimony you should immediately contact an attorney.

Subpoenas do not have to be signed by a judicial officer, such as a judge or magistrate. Instead, Rule 45 allows an attorney or court clerk to sign the subpoena. Providers must pay careful attention to this detail because HIPAA requires strict compliance with a subpoena or court order signed by a judge or magistrate, a court-ordered warrant, or grand jury subpoena. Of course a provider must not disclose more than what is expressly authorized by the document to maintain compliance with HIPAA.

As for a subpoena signed by an attorney or court clerk, HIPAA requires a provider to exercise due diligence before releasing PHI by ensuring that one of the following conditions is satisfied:

  • The provider must receive a written statement and accompanying documentation from the attorney issuing the subpoena demonstrating that:

A good faith attempt was made to provide written notice of the subpoena to the patient or his or her attorney;
The written notice included sufficient information to allow the patient to raise an objection to the subpoena;
The time for objecting to the subpoena has passed; and
The patient did not object to the subpoena or that any objections by the patient were adequately resolved by the court.  

  • The provider must receive a written statement and accompanying documentation from the attorney issuing the subpoena demonstrating that:

All parties to the lawsuit have agreed to a qualified protective order and have presented it to the court or that the attorney issuing the subpoena has filed for a protective order. A qualified protective order limits the use of the requested PHI to the lawsuit and requires the PHI to be returned or destroyed when the lawsuit ends.

  • The provider makes reasonable efforts to provide notice of the subpoena to the patient and the patient does not make any objections to the release of his or her PHI.

  • The provider obtains a signed HIPAA authorization from the patient for the release of the subpoenaed medical records.

These conditions can be found in Title 45 of the Code of Federal Regulations, Section 164.512(c)(1)(ii), (e)(1)(iii)-(vi).

Accordingly, a provider must take specific measures to protect a patient’s right to privacy when responding to subpoenas for medical records. Upon receiving a subpoena, a provider should:

  1. Immediately calendar the date on which the documents must be produced or inspected;
  2. If the amount of time to respond is not adequate then request an extension of time from the issuing attorney, making sure to document the request and approval in writing for your records;
  3. Evaluate the subpoena against the HIPAA required documentation. If the information contained in the subpoena does not meet one of the listed HIPAA conditions then it is incumbent upon the provider to obtain the necessary written documentation from the issuing attorney in a timely manner. In the alternative, the provider may contact the patient directly to obtain authorization.
  4. The subpoena, accompanying documentation, and any written correspondences between the provider and the issuing attorney should be retained in case of an investigation or audit.

Once a provider obtains the necessary written assurances, it must release the medical records on the date specified in the subpoena. Absent such assurances, a provider may not lawfully release the subpoenaed medical records to the issuing attorney. In this case, the provider should immediately contact an attorney, as it will need to timely object to the subpoena in writing, detailing the reasons for its objections, including the documentation needed to comply with HIPAA.

In order to minimize the risk of unlawful disclosures and to foster a culture of compliance as a long-term care provider, your business should have policies and procedures in place that address subpoenas along with proper staff training.

Having a government investigation initiated by a patient complaint that alleges his or her PHI was improperly disclosed can have adverse effects on your business. Taking steps to mitigate this risk by documenting the policies and procedures and training your staff on how to properly respond is essential.

This article does not address subpoenas issued by state court. And to the extent state law is more restrictive than HIPAA, state law controls, which may require additional steps to be taken before disclosing such information.   

Sheba E. Vine is the Director of Regulatory Compliance at First Healthcare Compliance. In this role, Ms. Vine serves as an expert and resource for clients concerning regulatory compliance. Prior to joining First Healthcare Compliance, Vine was an attorney in private practice in the areas of litigation and employment law with the Jacobs Law Group, P.C., the Danneman Firm, LLC, and the Vigilante Law Firm, P.C.