QUESTION: We received a subpoena from an attorney requesting the medical records of a patient. The attorney represents the plaintiff in the case, and the patient is the defendant. We are not a party to the litigation and want to comply with the subpoena, but we don’t want to violate the Health Insurance Portability and Accountability Act (“HIPAA”) either. Help!
ANSWER: The regulations implementing HIPAA (the “HIPAA Privacy Rule”) require that certain conditions be satisfied before a covered entity, in this case a hospital, may disclose medical records in response to a subpoena. Basically, these regulations require that a hospital receive “satisfactory assurances” that the patient has been notified of the subpoena and that any objections to the subpoena by the patient have been resolved. Until the hospital receives these “satisfactory assurances,” it is prohibited by federal law from disclosing the medical records.
State law may also help here. For example, the Pennsylvania Rules of Civil Procedure require a party in a lawsuit to serve a copy of a proposed subpoena on all other parties prior to issuing that subpoena to a third party (the hospital). Also, the Rules state that a party that intends to serve a subpoena on a third party (the hospital) must file a certificate showing that it has notified other parties in the lawsuit of the subpoena.
So, as required by the HIPAA Privacy Rule, a hospital, or its attorney, should request that the individual who requested the medical records provide the hospital with documentation that indicates that the patient has received notice of the subpoena, has had an opportunity to object to it, and either no objections were filed or all objections have been resolved. Once the hospital receives that documentation, it will be able to comply with the subpoena.