NATIONALLY RECOGNIZED FEDERAL LAWYERS
Federal Subpoenas for Medical Records: HIPAA Privacy Protections
|Last Updated on: 2nd October 2023, 05:52 pm
Federal Subpoenas for Medical Records: HIPAA Privacy Protections
Medical records contain some of our most sensitive personal information. Because of this, federal law provides privacy protections for medical records under the Health Insurance Portability and Accountability Act, better known as HIPAA. But what happens when the government issues a subpoena demanding access to protected medical records as part of an investigation or legal proceeding? This article will explain how federal subpoenas work with medical records, and what rights patients have under HIPAA.
What is a federal subpoena?
A federal subpoena is a written order issued by a federal agency demanding that an individual or organization produce documents, give testimony, or both, to support a federal civil or criminal investigation [1]. Federal agencies like the FBI, DEA, SEC, and IRS have authority to issue subpoenas to obtain evidence related to matters under their jurisdiction.
There are two main types of federal subpoenas:
- Subpoena ad testificandum – requires an individual to testify as a witness
- Subpoena duces tecum – requires the production of documents, records, or other evidence
A federal subpoena duces tecum would typically be used to obtain medical records from a doctor’s office, hospital, or other healthcare provider.
HIPAA Privacy Rule protections for medical records
The HIPAA Privacy Rule limits when medical providers can disclose a patient’s protected health information (PHI) without the patient’s authorization [2]. PHI includes information like medical records, test results, appointment details, and billing information.
HIPAA does allow PHI to be disclosed without authorization for certain purposes, including:
- Treatment
- Payment
- Healthcare operations
- Public health activities
- Law enforcement
- Judicial and administrative proceedings
So HIPAA does permit providers to disclose PHI in response to a valid subpoena. But the provider must take steps to protect patient privacy as much as possible.
Requirements for disclosing PHI under a federal subpoena
For a provider to disclose PHI in response to a federal subpoena duces tecum, the subpoena must [3]:
- Be issued by a grand jury or federal agency with proper jurisdiction
- Seek only PHI that is relevant and material to the proceeding
- Give the patient notice of the request for their records
- Allow time for the patient to object to the release of their records
The provider should confirm that the subpoena meets these requirements before disclosing any PHI. The subpoena must clearly specify what information is being requested. The provider must not disclose more PHI than necessary to comply with the subpoena [4].
Patient notification requirements
Before disclosing PHI under a federal subpoena, the provider must notify the patient in writing about [3]:
- Date the records were requested
- Who requested the records
- What records were requested
- Where the records will be sent
- Right of the patient to object to the release
The provider must allow the patient reasonable time to object before disclosing the records – at least 14 days. If the patient objects, the records cannot be released until the matter is resolved.
Limits on what can be disclosed under HIPAA
Even with a subpoena, some types of sensitive PHI have extra protections under HIPAA [3]:
- Psychotherapy notes – Provider must get patient authorization first
- Substance abuse disorder records – Must comply with 42 CFR Part 2 confidentiality requirements
- HIV test results – Many states prohibit release without patient authorization
The provider should consult state laws as well, since they may also limit what medical records can be released. The subpoena does not override more protective state laws.
Penalties for improper disclosure of PHI
If a provider improperly discloses PHI in violation of HIPAA, they may face [5]:
- Civil monetary penalties up to $59,522 per violation
- Criminal penalties up to $250,000 and 10 years imprisonment
- Reputational damage and loss of patient trust
Providers should consult with legal counsel to ensure full compliance with HIPAA before disclosing PHI under a subpoena. Having clear policies and procedures for responding to subpoenas can help avoid violations.
Can patients quash the subpoena?
If a patient objects to their medical records being released under a federal subpoena, they may file a motion to quash or modify the subpoena [6]. Reasons could include:
- Subpoena requires disclosure of privileged or protected information
- Subpoena imposes undue burden or expense
- Subpoena seeks irrelevant information
- Subpoena fails to allow reasonable time to comply
The patient should consult with an attorney to file the motion and explain why the subpoena should be quashed or modified. The court will then decide how to proceed. Patients should be aware of the process and timeline for objecting to avoid waiving their rights.
Key takeaways
- Federal agencies can subpoena medical records, but HIPAA limits what can be disclosed
- Subpoenas must meet specific requirements, like giving notice to the patient
- Providers must take steps to protect patient privacy when complying with subpoenas
- Patients have the right to object to the release of their medical records
- Improper disclosure of PHI under a subpoena can result in significant penalties
Federal subpoenas for medical records raise complex issues at the intersection of privacy rights and law enforcement needs. Both medical providers and patients need to understand their rights and responsibilities when protected health information is requested under subpoena. With careful compliance, disclosure of medical records can support legitimate investigations while still safeguarding sensitive patient privacy.
References
[1] Subpoena, Legal Information Institute[2] Summary of the HIPAA Privacy Rule, HHS
[3] Disclosures for Judicial and Administrative Proceedings, HHS
[4] Guidance Regarding Methods for De-identification of Protected Health Information, HHS
[5] Civil Money Penalties, HHS
[6] Rule 45. Subpoena, Federal Rules of Civil Procedure