Medical Record Subpoena: What is it?

medical record subpoena

Medical Record Subpoena: What is it?

Three Things You Should Know Before Responding to a Medical Record Subpoena

All healthcare providers at some point in their careers will be called upon by attorneys to provide information. While this may feel overwhelming initially, the process can be mitigated by staying organized and with a small bit of foresight. This article will explain the details of a subpoena, how to navigate your response, and avoid unnecessary legal and financial challenges.

What is a Subpoena? 

A subpoena is translated as “under penalty,” and refers to a written order from the court or an attorney that requires a person to do something. Failure to do so results in criminal penalties, such as fines, jail time, or both. Attorneys use subpoenas to obtain a patient’s medical records that could serve as crucial evidence for use in personal injury, medical malpractice, or workers’ compensation claims, or for different types of civil lawsuits (1).

Healthcare providers are aware that the Health Insurance Portability and Accountability Act (HIPAA) and state privacy laws restrict the disclosure of protected health information (PHI) to third parties. To avoid any financial and legal penalties, it is necessary to pay careful attention to every detail to protect patient privacy when releasing medical records. The process becomes even more complicated when responding to a subpoena. How you handle your response can make the difference between a correctly executed transaction and a legal and financial challenge.

An attorney subpoena won’t contain a judge’s signature, unlike a court order subpoena that will be signed by a judge. Regardless of HIPAA regulations, providers must comply with court orders and provide the necessary information (2). For orders issued by attorneys, PHI can be released only if the HIPAA Rule standards are met, and the patient has been notified (3).

Providers must understand the different types of subpoenas, including:

  • Witness subpoena: demands providers to testify in court.
  • Subpoena duces tecum: a request for documents or records.
  • Deposition subpoena: requires attending a deposition.

Remember, it’s important to carefully examine subpoenas of medical records to fully understand their scope. When in doubt, consult your medical malpractice attorney to ensure that you comply with all regulations and HIPAA mandates.

How to Respond to a Subpoena 

There are various crucial measures you should take after receiving a third-party subpoena for documents to guarantee that you will adhere by the subpoena’s requirements.

Correctly responding to a subpoena for medical records depends on the subpoena’s legal standing, the nature of the request, and the amount of time given to complete it. A healthcare organization that provides incorrect information may be in violation of HIPAA or state privacy regulations and be subject to severe penalties.

Here are three important steps to follow when responding to subpoena for medical records while protecting patient privacy and confidentiality:

Step 1: Identify the Subpoena Authority 

An important step is to confirm that the subpoena is valid by checking if the request was issued by an attorney or a judge. You must provide the requested information if you are given a court order subpoena, a subpoena signed by a judge, magistrate, or administrative tribunal, or if it’s a grand jury subpoena. However, it’s crucial that you only provide the information specifically requested, and nothing more.

To verify that the order is issued by the court, check if the request is signed by a judge by looking for the judge’s name and signature on the subpoena. You should also confirm the judge’s name is listed in print next to the signature.

The subpoena is not a court subpoena for medical records or discovery request if it is signed by someone other than a judge, magistrate, or administrative tribunal, such as a court clerk or an attorney. A subpoena signed by an attorney or a court clerk requires additional assurances under HIPAA.

When a subpoena is issued by an attorney, contact the party issuing the subpoena to receive satisfactory written assurances or a qualified protective order. Documentation must demonstrate that the patient was given a reasonable opportunity to object to the subpoena and that an effort was made to notify them of the order and the legal case it was related to. Even if the notification requirement is not met, providers can still release PHI if the patient has signed a valid, HIPAA-compliant release form that authorizes the release of records.

Step 2: Determine What is Being Requested 

After confirming the authenticity of a subpoena written by an attorney, review the information being requested. When releasing medical records to an attorney, be certain to only disclose what is necessary. Most states require a subpoena to particularly request records that are especially protected, such as those pertaining to mental health and substance abuse. Additionally, a subpoena does not necessarily allow for the release of complete medical records of patients.

Step 3: Keep Track of Deadlines 

Pay attention to the deadline once you’ve decided which records to provide. Take note of the timeframe for delivering the records, which may sometimes be too short for the provider to fulfill. A subpoena request for medical records typically has a short timeframe of 7 to 14 days, which may not be sufficient if the patient needs to be contacted for authorization or if the patient wants to object to the subpoena.

Contact your supervisor if you believe you don’t have enough time to respond. You must typically respond within 21 to 25 days if there is no deadline specified. Remember, even if the subpoena is valid, you should not respond right away. This allows the patient enough time to object or sign an authorization.

Extra Tips for Responding to a Subpoena 

  • Protected PHI cannot be released if the subpoena is inadequate or incomplete, and the provider must notify the issuing party of this immediately.
  • Pay attention to the subpoena’s due date and provide records by the suggested deadline. Failure to respond and comply to a valid subpoena may result in penalties, civil damages, court fees, and more.
  • If the subpoena includes an attached authorization for the patient to sign, use the practice’s HIPAA authorization form instead to ensure HIPAA-compliance.
  • Provide only the requested records.
  • Determine whether there are any additional HIPAA related laws that limit the requested release of medical records, such as state-specific laws limiting disclosures for mental health or drug and alcohol treatment records.
  • Ask your supervisor if you have any questions about whether or which papers can be processed.

For more information about medical record subpoenas, visit the U.S. Department of Health & Human Services website.

Need training? Take one of our online HIPAA courses today!


  1. What is a Subpoena? FindLaw. Published Jan 17, 2018. Retrieved Oct 6, 2022 from
  2. Court Orders and Subpoenas. U.S. Department of Health and Human Services. Published Nov 2, 2020. Retrieved Oct 6, 2022 from
  3. The HIPAA Privacy Rule. U.S. Department of Health and Human Services. Published March 31, 2022. Retrieved Oct 6, 2022 from