How to handle PHI when subpoenaed

Before responding to a subpoena, healthcare providers must obtain satisfactory assurances that the request complies with legal requirements and safeguards patient confidentiality. This often involves verifying the legitimacy of the subpoena and ensuring that proper consent has been obtained or that the request meets specific legal criteria.

When is a subpoena issued to healthcare providers?

A subpoena may be issued to healthcare providers in legal proceedings to compel the disclosure of PHI. A study published in the Professional Psychology: Research and Practice provides that disclosures can vary, “...requests for disclosure can come in a variety of forms (not all of which are legally valid). Attorneys might informally request records (via email, in person, or over the phone).” 

Unlike a court order issued by a judge or administrative tribunal, a subpoena is typically issued by a party involved in a legal case, such as a court clerk or an attorney. For HIPAA-covered entities to disclose PHI in response to a subpoena, they must adhere to the Privacy Rule's requirements. Before complying with the subpoena, the healthcare provider should ensure that certain conditions are met. 

Related: How to share reproductive information legally and securely

What PHI could be requested?

In a subpoena issued to healthcare providers, the requested information can vary based on the nature of the legal case and the specific circumstances. Generally, the information that could be requested in a subpoena may include:

1. Patient identifying information: Names, addresses, dates of birth, and other identifying details of individuals whose records are being sought.
2. Medical records: Patient health records, including medical histories, diagnoses, treatment plans, medications, test results, and imaging reports.
3. Treatment notes: Notes and progress reports from healthcare professionals, therapists, and specialists involved in the individual's care.
4. Billing information: Invoices, statements, and billing records related to medical services provided to the individual.
5. Insurance details: Information related to the individual's health insurance coverage, claims, and payments.
6. Lab results: Laboratory test results, including blood work, pathology reports, and other diagnostic tests.
7. Prescriptions: Information about prescribed medications, dosages, and instructions.
8. Consent forms: Any signed consent forms or authorization documents related to the release of medical information.
9. Correspondence: Communications between healthcare providers and the individual, including emails, letters, and other written exchanges.
10. Imaging studies: X-rays, MRIs, CT scans, and other medical imaging studies.
11. Referral documents: Referral letters or documents indicating the need for specialized medical care or consultations.
12. Expert opinions: Medical expert opinions or analyses related to the individual's condition or treatment.
13. Insurance claims: Documentation of insurance claims submitted for medical services rendered.
14. Witness testimonies: Requests for healthcare professionals to testify as witnesses in a legal proceeding.
    
    

What is satisfactory assurance?

Satisfactory assurance, within the context of a subpoena involving healthcare providers and PHI, refers to the specific requirements that must be met by the party issuing the subpoena before the covered entity can disclose PHI without the necessity of obtaining a separate court order. Satisfactory assurance entails demonstrating that the requester has taken appropriate steps to uphold patient privacy in accordance with the Privacy Rule.

Related: What are the permitted uses and disclosures of PHI?

How to ensure satisfactory assurance is met?

If the following conditions are met, the covered entity can disclose the PHI without requiring a separate court order.

Satisfactory assurances from requesting party

The covered entity must receive satisfactory assurances from the party requesting the information. These assurances relate to notifying the individuals who are the subjects of the information or obtaining a qualified protective order.

Notification to the individual(s)

The requesting party must demonstrate that they have made reasonable efforts to provide written notice to the individual(s) whose PHI is being requested. The notice should include sufficient information about the legal proceeding to allow the individual(s) to raise objections with the court. The time for objections to be raised should have elapsed, and no objections were filed, or any objections raised were resolved in a manner consistent with the request. 

Documentation Requirements

The written statement and accompanying documentation from the requesting party must provide evidence of their efforts to notify the individual(s) or obtain a qualified protective order. Examples of documentation include copies of notices sent to individuals, proof of resolution of objections (if applicable), copies of qualified protective orders, and related court motions.

Qualified protective order

Alternatively, the requesting party can provide documentation that a qualified protective order has been sought and secured from a court. A qualified protective order is a legal order that outlines how the disclosed PHI will be protected and used during the legal proceedings.

Related: HIPAA Compliant Email: The Definitive Guide

FAQs

Can providers share PHI when an attorney makes an informal request for PHI?

No, a legal requirement has to exist. 

Do patients have to consent for their PHI to be shared due to a subpoena?

Generally, subpoenas are accompanied by a court order making consent not necessary. 

Can a subpoena record be included in a patient's request for disclosures?

Yes.