HIPAA Compliance When Responding to Subpoenas for Medical Records

Subpoenas for medical records often trigger worry and anxiety in even the most confident physicians, advanced health care professionals, and practice administrators. The good news is it doesn’t have to be this way because the process for responding to records subpoenas is generally straightforward. Subpoenas for medical records don’t require you to do stressful things, like appearing in court or giving testimony.

Your focus when responding to an attorney’s subpoena for records should be complying with the HIPAA Privacy Rule.¹ In this article, MICA explains the ins and outs of subpoenas for records and how to analyze each subpoena you receive to ensure you properly safeguard patients’ protected health information (“PHI”). This article applies only to attorney subpoenas for medical records. It does not apply to a licensing board’s request for medical records.

A Subpoena for Records IS NOT a Court Order

HIPAA permits physicians, practices, and other covered entities (“CE”) to disclose patients’ medical records in response to a court order (without authorization from the patient or patient’s personal representative). However, subpoenas for medical records ARE NOT COURT ORDERS.

A subpoena for medical records is called a Subpoena Duces Tecum (“SDT”). A SDT is a formal way for a plaintiff, defendant, or other party in a lawsuit to request your records. The attorney who sends you the SDT doesn’t need to go to the Courthouse or see a judge to get the SDT. The attorney prints it in his/her office.

But the Subpoena Looks Like a Court Order

SDTs look formal, and most non-attorneys mistakenly think they are court orders because:

• They have the Court caption at the top (e.g., Superior Court of Arizona, Maricopa County);
  
  
• They say, “YOU ARE COMMANDED to appear”;
  
  
• They give a date, time, and place for appearance; and
  
  
• They say, “You are hereby notified that any failure to obey this subpoena without adequate excuse may be deemed a contempt of this Court, and subject you to sanctions.”

Despite all this, SDTs are still not court orders.

But the Subpoena Says I Have to “Appear”

Most attorneys will include a letter with the SDT. The letter will usually tell you: We don’t want you to appear on the date/time specified (even though the SDT says YOU ARE COMMANDED TO APPEAR). Yes, it’s confusing as mud, but here’s the scoop.

If you look closely at the SDT, it probably says the appearance is before a “Court Reporter” at the attorney’s office. If so, the attorney’s letter will instruct you to call the attorney’s office if you plan to appear on the date/time specified. This is because they are not expecting (or wanting) you to show up. In fact, if you did show up without calling ahead, there might not be anyone there (and certainly not a court reporter). All they really want you to do is send them the requested records via mail before the date/time of appearance. If you do that, no appearance is necessary.

The HIPAA Privacy Rule Governs Your Response to a Subpoena for Medical Records

Regardless of what the requesting attorney wants or asks you to do, as a HIPAA covered entity you must comply with the Privacy Rule when responding to subpoenas for medical records. Under the Privacy Rule, medical practices and other covered entities must safeguard PHI contained in patients’ medical records. Each time you receive a subpoena requesting medical records, you must analyze the subpoena and any accompanying documents to determine whether it meets Privacy Rule protections. If it doesn’t, HIPAA prohibits disclosure.

Step-by-Step Approach to Determine if a Subpoena Meets HIPAA Privacy Rule Requirements

To avoid a HIPAA violation, you need a written policy with a standard procedure for analyzing subpoenas and determining whether the Privacy Rule allows disclosure. For each subpoena you receive, consider implementing the step-by-step analysis below:

Step One: Is there a court order? If yes, HIPPA permits disclosure of the information specified by the order.

Although subpoenas are not court orders, sometimes an attorney will send a subpoena that includes a court order. For example, a MICA member recently called the MICA Risk Team with questions about a subpoena he received. When the Risk Team reviewed the documents, there was a court order attached to the subpoena. The attorney’s letter that came with the subpoena and order said, “Also enclosed is an Order Granting Release of Medical Records of [deceased patient’s name] signed by the Court on July 7, 2023; and a copy of the Death Certificate of [deceased patient’s name].

If, as in this example, a subpoena includes a court order signed by a judge, HIPAA permits you to disclose only the records and information specifically described in the order. In this case, the judge ordered disclosure of “all medical records, information, notes, billing and administrative records, and documents pertaining to [deceased], including any recorded communications between [deceased] ad any and all healthcare providers within the scope of HIPAA or the physician-client relationship.”

Step Two: If no court order, is there a valid HIPAA-compliant authorization for release of records? If yes, HIPPA permits disclosure of the information specified by the authorization.

The Privacy Rule also allows you to disclose records when a subpoena includes a written authorization signed by the patient or the patient’s health care decision maker or personal representative. In this case:

• Disclosure must be limited to the information specified in the authorization.
  
  
• Check the date on the authorization and any time restrictions (e.g., the release permits disclosure within 6 months after the date it was signed) to ensure that it is not “expired.”
  
  
• If you have any doubts, it’s a good risk management practice to contact the patient and confirm he/she signed the authorization, before responding to the subpoena.
  
  
• If the authorization is signed by a personal representative or health care decision maker, obtain verification of that person’s authority. For example, if the patient is deceased, a good risk management strategy is to require the death certificate and documents appointing the personal representative (or documents establishing that the requestor was the patient’s health care decision maker).

Step Three: If no court order or valid, signed HIPAA authorization, is there a HIPAA-compliant protective order issued by the Court? If yes, HIPAA permits disclosure.

Rarely, the subpoena you receive may come with a court-issued, HIPPA-compliant protective order (but no signed authorization). In this case, HIPAA permits disclosure of the records.

To ensure compliance with the HIPPA Privacy Rule requirements, confirm that the protective order:

• Is an order entered by the court (i.e., signed or electronically signed by a judge or commissioner);
  
  
• Contains language prohibiting the parties from using/disclosing PHI for any purpose other than the case or litigation in which the subpoena was issued; and
  
  
• Requires the parties in the case to destroy the records or return them to you at the end of the case/litigation^.2

For physician practices and other HIPAA covered entities located in Utah, disclosure is allowed even if a Court has not yet entered the protective order. In this situation, the attorney must provide you with written assurances and documentation showing either:

• all parties in the case have agreed to a protective order AND have submitted one to the Court for signature or
  
  
• the party requesting the records has asked the Court to enter a protective order.³

Note that Arizona’s law is more restrictive than HIPAA on this issue and (as explained above) permits disclosure only when the Court has already entered the protective order.⁴

Other HIPAA provisions that apply to subpoenas in Utah but not Arizona

In Utah, when no court order, valid signed authorization, or protective order accompanies a subpoena, HIPAA still permits disclosure when there are “satisfactory assurances” that reasonable efforts have been made to notify the patient of the subpoena.⁵ This is NOT the case in Arizona because Arizona state law is more restrictive than HIPAA on this issue.

In this situation, the attorney who sends you the subpoena must include a written statement and documentation showing that:

• The attorney has made a good faith attempt to provide written notice to the patient whose records are being requested; and
  
  
• The notice gave the patient enough information to allow him/her to file an objection with the court; and
  
  
• The time has passed to object to the disclosure and either the patient didn’t file an objection, or the court has ruled on the objection and the subpoena complies with the court’s order.⁶

What if the subpoena doesn’t comply with the Privacy Rule requirements?

Even if the Privacy Rule requirements aren’t met, don’t ever ignore subpoenas. If you ignore a subpoena, the attorney could ask the court to fine you for contempt.

If you review the subpoena and documents and decide they don’t meet the Privacy Rule requirements, you should call the attorney’s office. Here’s some guidance when doing this:

• If you receive only a subpoena with no authorization or court order, let the attorney know you need the patient’s signed authorization to release records. In this situation, it’s also a good idea to call the patient (assuming you have current contact information) and let him/her know you received a subpoena for records.
  
  
• If the patient is deceased, ask the attorney for a death certificate, an authorization signed by the personal representative, and documents showing appointment of the personal representative.
  
  
• In either case, ask for an extension to respond while the attorney gathers the documents you need.
  
  
• If you haven’t received these things after calling the attorney, and the deadline stated in the subpoena is approaching, you should send a letter to the attorney confirming that you called him/her and are waiting for a signed authorization. This letter is important because it will serve as a record that you contacted the attorney and didn’t just ignore the subpoena.
  
  
• In rare circumstances, an attorney may insist you need to respond to the subpoena even though disclosure is not permitted by the Privacy Rule. In this case, you will need to file an objection with the court or ask the court to review the records by submitting them directly to the judge under seal. Consult your attorney for assistance with this situation.

What if I don’t have any records?

Sometimes, you may not have records because the person was never a patient or was a patient 20 years ago and records were destroyed. If this is the case, send a written letter to the attorney confirming you received the subpoena and there are no records.

If the Privacy Rule permits disclosure, is there a deadline to copy and send records?

In Arizona, the attorney’s letter and the subpoena will likely state a deadline. Arizona law requires attorneys to give you at least 10 days to respond.⁷ Sometimes the subpoena and letter sit on an attorney’s desk and by the time he/she sends them to you, you don’t have much time to find, copy, and send the records. Regardless of the reason, if you believe you don’t have enough time to copy and send the records, simply call the attorney’s office and ask for an extension. They usually will agree without argument.

In Utah, physician practices and other health care providers must⁸ provide the copies within 30 days after receiving the subpoena request. Disclosing the records later violates the statute and reduces the amount you can charge for copying as follows:

• If records are produced more than 30 days but less than 60 days after receipt of the subpoena request, the practice must waive 50% of the fees charged (see next section for discussion of fees allowed).
  
  
• If records are produced more than 60 days after receipt of the subpoena request, the practice must waive all charges.⁹

If the Privacy Rule permits disclosure, can I charge a fee to copy and send records?

Arizona law allows you to charge “reasonable costs” when responding to a subpoena for records. When attorneys request records via subpoena, they aren’t required to pay up front. You should include an itemized bill when you mail the records.

“Reasonable costs” in Arizona means:

• 25 cents per page for “standard reproduction of documents,”
  
  
• actual costs if special processing is required, and
  
  
• reasonable clerical costs at the rate of $25/hour.¹⁰

Utah law also allows you to bill a reasonable fee as follows:

• $30 for locating the records;
  
  
• Paper reproduction charges may not exceed 53 cents per page for the first 40 pages, and 32 cents per page for additional pages;
  
  
• The cost of postage if the third party asks you to mail the records;
  
  
• $20 for the physician or practice to certify the record as a duplicate of the original; and
  
  
• Any sales tax owed.¹¹

In Utah, the following special rules apply to subpoenas seeking electronic copies of records:

• If digital or electronic records are requested (and the original medical record is readily producible that way), the practice must deliver the medical records in the digital or electronic medium it usually uses.
  
  
• When producing records electronically, you may only charge 50 percent of the per page fee applicable to paper copies (i.e., 26.5 cents per page for the first 40 pages and 16 cents per page for additional pages), up to a maximum of $150.00.¹²
  
  
• These limits apply regardless of whether your practice stores the original records electronically or in paper form.

Utah adjusts all the above fees annually for inflation.¹³

If the Privacy Rule permits disclosure, how do I fill out the Custodian of Records Affidavit?

When attorneys send you a subpoena for records, they generally include a form for you to fill out called a Custodian of Records Affidavit. The MICA Risk Team answers lots of questions from worried MICA members about this Affidavit. There’s nothing to worry about. Here’s what you need to know:

• A physician does not need to complete the Affidavit.
  
  
• The person completing the Affidavit should be your medical records “custodian” – the person in charge of your medical records.
  
  
• If you don’t have a designated medical records custodian, the individual who copies the records in response to the subpoena could fill out the form.
  
  
• Have the form notarized.
  
  
• Send the completed Affidavit with the records you are disclosing.

Attorneys need these Affidavits if they want to use the records at a hearing or trial. The Affidavit is a notarized document stating that this a true and accurate copy of records maintained by your medical practice “in the regular course of business.” In other words, you are vouching for their authenticity. Because of this, the attorney can use the Affidavit to get the records into evidence, instead of requiring someone from the practice to appear in court and testify to the same thing.

Still have questions?

If you’re a MICA member and have additional questions or just want someone to look at your subpoena for medical records, don’t hesitate to call the MICA Risk Team. We will review your documents, answer your questions, and provide guidance. Contact us at 800-705-0538 or rm_info@mica-insurance.com.

 

^{[1] This article only discusses compliance with the federal HIPPA Privacy Rule (Arizona state law on subpoenas for medical records is slightly more restrictive but nearly identical to HIPAA – see A.R.S. section 12-2294.01). This article does not address requirements related to the confidentiality of psychotherapy notes or substance abuse treatment. In addition, there may be other state-specific laws, more restrictive than HIPAA, that apply to restrict the disclosure of sensitive health information including information related to sexually transmitted diseases, HIV/AIDs, mental health treatment/diagnoses, and reproductive health.}

^{[2] 45 CFR 164.512(e)(1)(v); A.R.S. § 12-2294.01(B)(2)}

^{[3] 45 CFR 164.512(e)(1)(ii)(B) & (iv)(A)-(B)}

^{[4] A.R.S. § 12-2294.01(B)(1)-(5)}

^{[5] 45 CFR 164.512(e)(1)(ii)(A)}

^{[6] 45 CFR 164.512(e)(1)(iii)(A)-(C)}

^{[7] A.R.S. § 12-2294.01(A)}

^{[8] This means “postmarked or otherwise made available” within 30 days after receipt of the subpoena. Utah Code Ann. §78B-5-618(5)(a)(i) & (b).}

^{[9] Id. at §78B-5-618(5)(b)(i)-(ii)}

^{[10] A.R.S. § 12-351(C) & (F)(1)}

^{[11] Utah Code Ann. § 78B-5-618(4)}

^{[12] Id. at §78B-5-618(6) & (7)(c)}

^{[13] Id. at §78B-5-618(4)(b); (5(a)(i)-(iii); (7); 8(a)-(c)}