Federal Subpoenas for Medical Records: HIPAA Privacy Protections

Federal Subpoenas for Medical Records: HIPAA Privacy Protections

When federal agencies issue subpoenas for medical records, it can put healthcare providers in a tricky situation. On one hand, they have a duty to comply with valid legal requests. On the other hand, they also have a duty to protect patient privacy under HIPAA. This article will examine how HIPAA applies to federal subpoenas for medical records, including the notification requirements and permitted disclosures.

What is HIPAA?

HIPAA, or the Health Insurance Portability and Accountability Act, is a federal law that provides privacy protections for patient health information. The HIPAA Privacy Rule lays out requirements for how covered entities like doctors, hospitals, and health plans can use and disclose protected health information (PHI).

PHI refers to any information in a medical record that could identify the patient, including things like names, birthdates, social security numbers, diagnosis codes, and treatment details. Under HIPAA, patients have certain rights over their PHI, and healthcare providers have certain responsibilities to safeguard it.

When Can a Federal Agency Issue a Subpoena for Medical Records?

Federal agencies like the Department of Justice (DOJ), Drug Enforcement Administration (DEA), and Office of Inspector General (OIG) have authority to issue subpoenas as part of investigations. For example, they may issue a subpoena for medical records as part of a healthcare fraud investigation or drug diversion investigation.

The subpoena gives them the power to compel the production of documents, including protected health information. Healthcare providers that receive a federal subpoena for medical records are legally required to respond in a timely manner to avoid being held in contempt of court.

HIPAA Notification Requirements

Under HIPAA, a covered entity can only disclose PHI in response to a subpoena if certain notification requirements are met[1]:

• The covered entity must notify the patient in writing that their PHI is being sought via subpoena.
• This written notice must be sent to the patient prior to disclosing any PHI.
• The patient must have an opportunity to object to the disclosure before it occurs.

These notification requirements apply even if the subpoena orders the covered entity not to inform the patient. HIPAA supersedes that, giving patients a right to object before their medical records are turned over.

Permitted Disclosures

Once proper notification is given, HIPAA does permit some disclosures of PHI in response to a federal subpoena[2]:

• The covered entity may disclose the specific PHI requested in the subpoena.
• They may also disclose additional PHI if it is needed to identify the individual or put the information in context.
• However, any PHI disclosed must be limited to the minimum necessary to comply with the request.

For example, if a subpoena requests John Doe’s medical records from January 1 – March 31, 2022, the provider may disclose records from that timeframe. They may also include a face sheet with John Doe’s name, DOB, address, etc. if needed to identify him. But they should not disclose John Doe’s full medical history without limitation.

Requirements for Law Enforcement

If the subpoena for medical records comes directly from a law enforcement official, HIPAA has some additional requirements[6]:

• There must be a written statement that the information is relevant to a legitimate law enforcement inquiry.
• The request must be specific and limited in scope.
• De-identified information should be disclosed when possible.

For law enforcement, the minimum necessary standard does not apply. However, disclosures should not exceed what is reasonably relevant and necessary for their lawful purpose.

Responding to Improper Subpoenas

If a healthcare provider receives a subpoena that does not meet HIPAA requirements, they should not ignore it. The proper response is to file a motion to quash or modify the subpoena[3].

Reasons to quash or modify a subpoena may include:

• It requests more records than reasonably needed
• It fails to allow time for proper patient notification
• It asks for records outside the statute of limitations
• It seeks records that are privileged or protected

This allows the provider to comply with lawful requests while still upholding their duty to safeguard HIPAA rights. The court may decide to uphold or modify the subpoena accordingly.

Penalties for HIPAA Violations

If a covered entity does improperly disclose PHI in response to a subpoena, there can be stiff penalties under HIPAA[4]:

• Fines of $100 to $50,000 per violation, up to a maximum of $1.5 million per year
• Potential criminal charges if the violation was willful

Plus, the covered entity may be open to private lawsuits from patients whose privacy was violated.

That’s why it’s critical to take care in responding to subpoenas for medical records. Here are some best practices:

• Carefully review the subpoena to ensure it is valid and enforceable. Check that it is signed by a judge and complies with state laws.
• Notify the patient as required under HIPAA, even if the subpoena orders you not to. Give the patient a chance to file objections.
• Only disclose the minimum necessary PHI to comply with the subpoena after notifying the patient.
• If the subpoena is improper, file a motion to quash or modify it rather than ignoring it.
• For law enforcement requests, ensure there is a written statement of need and that the request is specific and limited.
• Consult with an attorney if you are unsure how to respond to a particular subpoena.
• Document your response to the subpoena for your records.

Responding properly to subpoenas can be complex, but is important for complying with both HIPAA and legal obligations. Healthcare providers should develop clear policies and train staff on handling subpoenas. With the right preparation, covered entities can respond appropriately while still protecting patient privacy.

References

[1] https://www.camft.org/Resources/Legal-Articles/Chronological-Article-List/responding-to-a-subpoena

[2] https://www.norcal-group.com/library/taking-the-fear-out-of-responding-to-subpoenas-for-medical-records

[3] https://www.legal.io/articles/5170764/How-to-Respond-to-a-Third-Party-Subpoena-for-Documents

[4] https://www.reliasmedia.com/articles/138548-you-must-respond-carefully-when-you-are-served-with-a-subpoena

[5] https://www.apa.org/monitor/2016/07-08/ce-corner

[6] https://www.magmutual.com/learning/article/step-step-guide-responding-medical-record-subpoenas/