Under HIPAA laws, protected health information (PHI) should not be disclosed to third parties. So, what do you do if a subpoena requests you disclose one? Can you legally ignore a subpoena? Exactly how much information can you disclose? These are common questions you might have as a healthcare professional.
Responding to a subpoena requesting disclosure of a patient’s medical record can be very tricky. This article will explain the details of a subpoena, your legal obligations, how to navigate your response, and how to avoid unnecessary legal and financial challenges.
What Is a Subpoena?
A subpoena is a written order from a court or an attorney that requires a person to do something. In the healthcare landscape, attorneys can use medical record subpoenas to obtain patients' medical records for use in different types of civil or criminal lawsuits. There are also different types of subpoenas:
- Witness Subpoena: demands providers to testify in court.
- Subpoena Duces Tecum: a request for documents or records.
- Deposition Subpoena: requires attending a deposition.
Remember, it's essential to carefully examine subpoenas of medical records to understand their scope fully. Consult your medical malpractice attorney to ensure you comply with all regulations and HIPAA mandates when in doubt.
Why Are Medical Records Often Sought in Legal Proceedings?
Medical records can serve as evidence in civil and criminal lawsuits. In these lawsuits, claimants can use medical records to corroborate their case. Defendants, on the other hand, can also use a claimant’s medical records as evidence against them. In this case, such records may contain information undermining a claimant’s testimony. As an example, medical records can help in:
- Personal injury lawsuits
- Medical malpractice lawsuits
- Worker compensation, disability claims, and wrongful death
- Insurance claims and disputes.
Medical records must meet the legal standards of admissibility in court. As such, before sending subpoenas for medical records, legal teams must ensure that these subpoenas follow HIPAA guidelines, and any other state regulations on how PHI is accessed, handled, and stored.
How to Respond to a Subpoena
The right response to a subpoena depends on its legal standing, the nature of the request, and the amount of time given to complete it. A healthcare organization that provides incorrect information may violate HIPAA or state privacy regulations and be severely penalized. Here are three steps to follow when responding to a subpoena:
- Identify the Subpoena Authority
First, confirm the subpoena’s validity. You do so by checking if the subpoena was issued by an attorney or a judge. A court subpoena requires compliance. These subpoenas are signed by judges, administrative tribunals, a magistrate, or a grand jury. If it’s a court order subpoena, confirm the judge’s name and signatures.
If the subpoena is issued by an attorney, you must confirm that it meets all HIPAA requirements before responding to it. You must also inform the patient and give them reasonable time to accept or object to it. If a patient has signed a HIPAA-compliant release form that authorizes the release of records, a notification may not be needed.
- Determine the Details of the Request
The next step is to review the subpoena’s request. Most do not request the release of a patient’s complete medical record. Before releasing a subpoena to an attorney, be sure to disclose only what is requested.
- Keep Track of Deadlines
The last step is to respond to the subpoena in a timely fashion. The rule of thumb is not to respond to a subpoena immediately. A subpoena for medical records typically has a short timeframe of 7 to 14 days. If you think this time is too short, you can always consult your attorney for expert advice. For subpoenas with no stated deadline, aim to respond within 21-25 days. Even this may not be sufficient if the patient needs to be contacted for authorization or if the patient wants to object to the subpoena. In this case, consult your attorney for legal counsel.
Extra Tips for Responding to a Subpoena
- Protected PHI cannot be released if the subpoena is inadequate or incomplete, and the provider must notify the issuing party immediately.
- Pay attention to the subpoena's due date and provide records by the suggested deadline. Failure to respond and comply with a valid subpoena may result in penalties, civil damages, court fees, and more.
- If the subpoena includes an attached authorization for the patient to sign, use the practice’s HIPAA authorization form instead to ensure HIPAA compliance.
- Provide only the requested records.
- Determine whether any other HIPAA-related laws limit the requested release of medical records, such as state-specific laws limiting disclosures for mental health or drug and alcohol treatment records.
- Ask your supervisor if you have questions about whether or not papers can be processed.
Common Pitfalls and How to Avoid Them
Here are some common pitfalls covered entities and business entities must avoid when responding to a subpoena
Disobeying the Subpoena
Can you legally disobey a subpoena? No, you can’t, even if it’s from an attorney. If you disobey a subpoena, you can be charged with civil or criminal contempt. People may have compelling reasons to disobey a subpoena. It is always best to consult your attorney for legal advice.
Providing Incomplete or Inaccurate Records
Another pitfall is providing incomplete or inaccurate records. In this case, you may still be charged with civil or criminal contempt. Assess what information is requested in the subpoena and provide only what is requested.
Most subpoenas do not ask for all or a patient’s medical records, but parts of it. If a subpoena asks for all of a patient’s medical records, release them, except for specially protected records like mental health records, drug/alcohol treatment records, and STI treatment records. Specially protected records can only be released if the subpoena is signed by a judge and includes a specific request for them. It is also released if the patient authorizes its release.
Failing To Protect Patient Privacy
In the US, PHI must meet certain standards to be admissible in court. Records with disputable accuracy and/or authenticity are unlikely to be admissible. Apart from complicating the work of legal representatives, non-compliance can incur charges from HIPAA. In this case, aggrieved patients may file a complaint through the Office of Civil Rights (OCR). These complaints can trigger an investigation/audit.
Stay Compliant With HIPAA Exams
The legal implications of subpoenas are one of the many hurdles covered entities, and their business associates have to scale through. A solid knowledge of the various HIPAA rules and regulations can protect you from non-compliance charges and costs. Our HIPAA courses are tailored to the unique needs of diverse professionals. For example, in our HIPAA for Business Associates, we talk extensively about business associate agreements and how to draft one. In our HIPAA for Healthcare Workers, we discuss the various HIPAA rules and how they affect healthcare workers. We also provide tailor-made HIPAA courses for medical office staff and HIPAA for dental Offices. Head to our website to view our full catalog of offerings today!
