The attorney-issued subpoena for medical records that includes patient authorization
Attorney-issued subpoenas for medical records of a patient are accompanied by a HIPAA authorization from the patient that permits the requested disclosure.
The covered party may disclose information that is responsive to the subpoena, but only if it first satisfies its HIPAA subpoena compliance obligations. To satisfy these HIPAA subpoena requirements, the covered entity whose medical records are sought, must comply with the notification requirements of the Privacy Rule. Before responding to the subpoena, the provider or plan should receive evidence that there were reasonable efforts to either: 1) Notify the person who is the subject of the information about the PHI request, so the person has a chance to object to the disclosure, or 2) Seek a qualified protective order for the information from the court. Both of these options are discussed below.
The law requires that before a provider can respond to a subpoena for medical records by disclosing PHI, the provider must receive satisfactory assurance from the requesting party that reasonable efforts have been made by the requesting party to ensure that the patient who is the subject of the PHI has been given notice of the request.
Under the law, a covered entity receives satisfactory assurance from the party seeking the PHI, if the covered entity receives a written statement and other documentation from the requesting party demonstrating:
- The party requesting the information has made a good faith attempt to provide written notice to the patient;
- The notice included sufficient information about the litigation involving the PHI request to allow the patient to raise an objection to the court; and
- The time for the patient to raise objections has expired, and:
- The patient did not file any objections; or
- Any patient objections were resolved by the court and the PHI being sought is consistent with that resolution.
Seeking a Qualified Protective Order
A qualified protective order is an order from a court, or of an administrative tribunal (e.g., a Department of Labor, or a Workers Compensation Board), or a stipulation (a signed agreement) by the parties to the litigation or administrative proceeding.
The qualified order, to meet HIPAA subpoena compliance requirements, must contain language that prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or administrative proceeding that is the subject of the subpoena
The qualified order must also, to meet HIPAA subpoena compliance requirements, require that all PHI (including all copies made) either be returned to the covered entity or be destroyed at the end of the litigation or proceeding.
Need assistance with HIPAA compliance? Compliancy Group can help! We help you achieve HIPAA compliance with Compliance Coaches™ guiding you through the entire process. Find out more about the HIPAA Seal of Compliance™ and Compliancy Group. Get HIPAA compliant today!