Maintaining Compliance With HIPAA In The Face of a Subpoena Request
Medical facilities and healthcare providers often receive requests for information and/or records relative to pending litigation. These requests can come in many forms from a phone call from a patient, to a letter from an attorney purportedly representing a client, to a subpoena duces tecum for a complete copy of an individual’s medical records. The purpose of this client advisory is to address the proper way to handle the third type of request, as it relates to the target’s obligation to maintain HIPAA compliance.
HIPAA is a federal statute designed to protect the privacy of health information. While there are certain exceptions, HIPAA applies to nearly all healthcare providers. If a subpoena for healthcare information is received by a Provider, there first must be a determination as to whether the subpoena has been properly served1, and is accompanied by a valid authorization for disclosure.
The authorization for disclosure must be in writing, signed by the patient or legal guardian authorizing the requestor permission to use protected health information for a specified purpose, or permitting the facility to disclose protected health information to a third party (CFR 164.508). This authorization should specify the information that is being used and/or disclosed, and it should contain an expiration date. Such an authorization need not be notarized or witnessed. In the event of receipt of a proper authorization along with a validly served subpoena, the requested information can be permissibly disclosed in compliance with HIPAA.
On the other hand, if the subpoena fails to enclose a valid authorization, there are still circumstances where disclosure may be made while maintaining HIPAA compliance. Those common exceptions pertain to disclosure of information within the course of a Judicial or Administrative Proceeding. In such instances, the Court Order must be enclosed with the subpoena and must state with specificity the purpose for which the information is being disclosed and any limitations upon the type of information sought. Proper service is still a requirement.
Absent an Authorization or Court Order, there are two additional possibilities for disclosure of protected information, while remaining HIPAA compliant. The first relates to “Satisfactory Assurance of Proper Notice.”. Healthcare information can be properly subpoenaed from a facility if the requestor provides the facility “Satisfactory Assurance” that the subject of the request was given notice of the request. Satisfactory Assurance may include documentation supporting a good faith attempt to notify the individual who is the subject of the request as to the information sought, the reason for its use, and the opportunity to object prior to the disclosure. The exact requirements of Satisfactory Assurance of Proper Notice are set forth in 44 CFR 164.512(e)(1)(ii)(A).
In the absence of or inability to provide Satisfactory Assurance, the requestor can substitute notice with a Qualified Healthcare Protective Order. An example is a Protective Order on file with the Court from which the subpoena was issued, stipulating the information to be disclosed, the limitation of its use solely in the legal proceeding, and providing for either return or destruction of the protected information at the conclusion of the proceeding. The exact requirement of a Qualified Healthcare Protective Order is set forth in 44 CFR 164.512E(1)(ii)(B)(V)(A),(B). With such a Qualified Healthcare Protective Order in place, the information can be disclosed pursuant to the Subpoena without risk of HIPAA non-compliance, assuming proper service. As issues involving HIPAA often involve complex legal analysis and risk of significant civil fines for non-compliance, it is always advisable to consult with competent legal counsel immediately upon the receipt of any request for protected healthcare information.
1 See FRCP 45(b) and analogous statute rules.