In recent years, many states, including Iowa, have changed their court rules to allow attorneys to sign and issue subpoenas in pending cases without prior court approval. While the issuance of such subpoenas may be acceptable under general state law, providing documents in response to a subpoena that is only signed by an attorney may lead to a violation of the Health Insurance Portability and Accountability Act (“HIPAA”). If you are a Covered Entity (such as a health care provider or a health plan) or a Business Associate (a person or entity providing services to a Covered Entity that involve the use or disclosure of protected health information), you should be cognizant of the HIPAA-based requirements before responding to a subpoena.
If you are a Covered Entity or Business Associate and have received a subpoena only signed by an attorney, you should first determine whether the subpoena requests protected health information. Protected health information is any information about health status, the provision of health care or payment for health care that is created by a Covered Entity or Business Associate and that can be linked to a specific individual. If you receive a subpoena asking for Patient Jane Smith’s medical records, then the information requested is clearly protected health information. If you receive a subpoena asking for your professional corporation’s balance sheet, then the subpoena is not likely requesting protected health information. However, if that subpoena asks for your professional corporation’s list of accounts receivable, the requested materials would include protected health information. Because most subpoenas are drafted broadly (e.g., “Any and all documents related to…”), it is highly likely that at least some protected health information is being requested when you receive a subpoena.
While HIPAA does not insulate a Covered Entity or Business Associate from responding to a subpoena requesting protected health information, additional information will likely have to be obtained from the issuing attorney before you can respond. Before responding to an attorney-issued subpoena, a Covered Entity or Business Associate is required to receive “satisfactory assurances” that:
45 C.F.R. § 164.512(e)(ii). Satisfactory assurances of “reasonable efforts to ensure” that the person whose records are requested has been given notice can be satisfied through a written statement from the party issuing the subpoena. This statement must provide that party sending the subpoena has made a good faith attempt to notify the individual whose records are being requested and the person consented (such as through a patient authorization for release of records) or the person did not object and the time to object has expired. The notice given to the individual whose records are requested must include sufficient information about the litigation or proceeding to allow the person to raise an objection. In other words, such a notice must identify the court or tribunal, the parties to the litigation, the case number and contact information for the court or tribunal. Practically speaking, this satisfactory assurance would only work well in situations where the subpoena has requested the records of specific individuals.
If the subpoena has requested general business records that happen to include the disclosure of protected health information, the party requesting the subpoena will likely choose to provide satisfactory assurances by providing a qualified protective order. A protective order is a confidentiality agreement entered into by the parties to litigation, which is then entered as an order by the court. A protective order typically sets forth how the parties will identify and treat “confidential documents,” how such documents can be used during the litigation and what happens to such documents once the litigation concludes. For a protective order to be “qualified” under the HIPAA regulations, it must (1) prohibit the parties from using or disclosing protected health information for any purpose other than the litigation or proceeding in which it was requested; and (2) require that the documents (and all copies) be returned to the Covered Entity or Business Associate or destroyed at the end of the litigation or proceeding.
These same “satisfactory assurances” must also be obtained if the Covered Entity or Business Associate is a party to the litigation and thus, receives requests for protected health information through interrogatories or requests for production instead of through a subpoena. Generally, the best and most efficient way to handle such requests is through the use of protective order entered by the court.
If a court or administrative tribunal has issued the subpoena, such subpoena is an “order” and thus, these additional satisfactory assurances are not required before responding. However, even in responding to such subpoenas, the Covered Entity or Business Associate must be careful to only disclose the information “expressly authorized by such order.” 45 C.F.R. § 164.512(e)(i).
If you are a Covered Entity or a Business Associate and receive a subpoena, it is important to ensure that you undertake these additional steps to ensure that you do not violate HIPAA when you release the requested information. Because subpoenas often provide a very short window of time for a response, you should immediately address the HIPAA issues by contacting (or having your attorney contact) the party sending the subpoena and advising them of the satisfactory assurances that are required before you can disclose any protected health information. If you need assistance with a subpoena or would like to further discuss how these requirements may apply to you, please contact or any BrownWinick attorney in the Health Law Practice Group.