What to Know Before Responding to a Medical Record Subpoena

At some point in their careers, all healthcare providers will be called upon by attorneys to provide information. While this may feel overwhelming initially, the process can be mitigated by staying organized and with a tiny bit of foresight. This article will explain the details of a subpoena, how to navigate your response, and avoid unnecessary legal and financial challenges.

What is a Subpoena?

A subpoena is translated as "under penalty" and refers to a written order from the court or an attorney that requires a person to do something. Failure to do so results in criminal penalties, such as fines, jail time, or both. Attorneys use subpoenas to obtain a patient's medical records that could serve as crucial evidence for use in personal injury, medical malpractice, or workers' compensation claims, or different types of civil lawsuits(1).

Healthcare providers know that the Health Insurance Portability and Accountability Act (HIPAA) and state privacy laws restrict the disclosure of protected health information (PHI) to third parties. To avoid any financial and legal penalties, paying careful attention to every detail to protect patient privacy when releasing medical records is necessary. The process becomes even more complicated when responding to a subpoena. How you handle your response can distinguish between a correctly executed transaction and a legal and financial challenge.

Unlike a court order subpoena that a judge will sign, an attorney subpoena won't contain a judge's signature. Regardless of HIPAA regulations, providers must comply with court orders and provide the necessary information(2). For orders issued by attorneys, PHI can be released only if the HIPAA Rule standards are met, and the patient has been notified(3).

Providers must understand the different types of subpoenas, including

  • Witness subpoena: demands providers to testify in court.
  • Subpoena duces tecum: a request for documents or records.
  • Deposition subpoena: requires attending a deposition.

Remember, it's essential to carefully examine subpoenas of medical records to understand their scope fully. Consult your medical malpractice attorney to ensure you comply with all regulations and HIPAA mandates when in doubt.

How to Respond to a Subpoena

You should take various crucial measures after receiving a third-party subpoena for documents to guarantee that you will adhere to the subpoena's requirements.

Correctly responding to a subpoena for medical records depends on its legal standing, the nature of the request, and the amount of time given to complete it. A healthcare organization that provides incorrect information may violate HIPAA or state privacy regulations and be severely penalized.

Here are three critical steps to follow when responding to a subpoena for medical records while protecting patient privacy and confidentiality:

Step 1: Identify the Subpoena Authority

An important step is to confirm that the subpoena is valid by checking if an attorney or a judge issued the request. You must provide the requested information if given a court order subpoena, a subpoena signed by a judge, magistrate, administrative tribunal, or a grand jury subpoena. However, it's crucial that you only provide the information specifically requested and nothing more. 

To verify that the court issues the order, check if a judge signs the request by looking for the judge’s name and signature on the subpoena. You should also confirm the judge’s name is listed in print next to the signature.

The subpoena is not a court subpoena for medical records or discovery requests if it is signed by someone other than a judge, magistrate, or administrative tribunal, such as a court clerk or an attorney. A subpoena signed by an attorney or a court clerk requires additional assurances under HIPAA.  

When an attorney issues a subpoena, contact the subpoenaing party to receive satisfactory written assurances or a qualified protective order. Documentation must demonstrate that the patient was given a reasonable opportunity to object to the subpoena and that an effort was made to notify them of the order and the legal case it was related to. Even if the notification requirement is not met, providers can still release PHI if the patient has signed a valid, HIPAA-compliant release form that authorizes the release of records.

Step 2: Determine What is Being Requested

After confirming the authenticity of a subpoena written by an attorney, review the information being requested. When releasing medical records to an attorney, be sure only to disclose what is necessary. Most states require a subpoena to request specially protected documents, such as those about mental health and substance abuse. Additionally, a subpoena does not necessarily allow for the release of a patient's complete medical records. 

Step 3: Keep Track of Deadlines 

Pay attention to the deadline once you've decided which records to provide. Take note of the timeframe for delivering the records, which may sometimes be too short for the provider to fulfill. A subpoena request for medical records typically has a short timeframe of 7 to 14 days, which may not be sufficient if the patient needs to be contacted for authorization or if the patient wants to object to the subpoena.

Contact your supervisor if you don’t have enough time to respond. You must typically respond within 21 to 25 days if no deadline is specified. Remember, even if the subpoena is valid, you should not respond immediately. This allows the patient enough time to object or sign an authorization.

Extra Tips for Responding to a Subpoena

  • Protected PHI cannot be released if the subpoena is inadequate or incomplete, and the provider must notify the issuing party immediately. 
  • Pay attention to the subpoena's due date and provide records by the suggested deadline. Failure to respond and comply with a valid subpoena may result in penalties, civil damages, court fees, and more.
  • If the subpoena includes an attached authorization for the patient to sign, use the practice’s HIPAA authorization form instead to ensure HIPAA compliance. 
  • Provide only the requested records. 
  • Determine whether any other HIPAA-related laws limit the requested release of medical records, such as state-specific laws limiting disclosures for mental health or drug and alcohol treatment records. 
  • Ask your supervisor if you have questions about whether or not papers can be processed. 

For more information about medical record subpoenas, visit the U.S. Department of Health & Human Services website. 

1.    What is a Subpoena? FindLaw. Published Jan 17, 2018. Retrieved Oct 6, 2022, from https://www.findlaw.com/litigation/going-to-court/what-is-a-subpoena.html.
2.    Court Orders and Subpoenas. U.S. Department of Health and Human Services. Published Nov 2, 2020. Retrieved Oct 6, 2022, from https://www.hhs.gov/hipaa/for-individuals/court-orders-subpoenas/index.html.
3.    The HIPAA Privacy Rule. U.S. Department of Health and Human Services. Published March 31, 2022. Retrieved Oct 6, 2022, from https://www.hhs.gov/hipaa/for-professionals/privacy/index.html.