As part of the discovery or disclosure process, parties to a lawsuit often issue a subpoena to a medical provider for patient medical records. Federal law imposes HIPAA subpoena compliance requirements on the provider. These requirements can be found in the HIPAA Privacy Rule. The Privacy Rule regulates the use and disclosure of protected health information (PHI). PHI is health information in any form, including physical records, electronic records, or spoken information. To qualify as PHI, the information must be “individually identifiable health information” – information such as birth date and phone number that is unique to a patient. 

Whether, and to what extent, a covered entity may disclose PHI in response to a subpoena issued during a court proceeding, depends upon the type of subpoena.

What is a HIPAA Subpoena?

Different types of subpoenas, along with their corresponding HIPAA subpoena compliance obligations, are discussed below:

The court-ordered subpoena

Subpoenas are generally issued either by a judge (including an administrative judge or administrative law judge) or an attorney in a case. Judge-issued subpoenas are often referred to as court orders. If a court issues a subpoena that demands production of medical information, the healthcare provider may divulge protected health information, but only that information that is specifically described in the order. 

HIPAA Subpoena Compliance

The attorney-issued subpoena for medical records that includes patient authorization

Attorney-issued subpoenas for medical records of a patient are accompanied by a HIPAA authorization from the patient that permits the requested disclosure. 

The covered party may disclose information that is responsive to the subpoena, but only if it first satisfies its HIPAA subpoena compliance obligations. To satisfy these HIPAA subpoena requirements, the covered entity whose medical records are sought, must comply with the notification requirements of the Privacy Rule. Before responding to the subpoena, the provider or plan should receive evidence that there were reasonable efforts to either: 1) Notify the person who is the subject of the information about the PHI request, so the person has a chance to object to the disclosure, or 2) Seek a qualified protective order for the information from the court. Both of these options are discussed below.

Schedule a Demo

See the software that makes tracking compliance a breeze!

Healthcare Compliance Software - CG


The law requires that before a provider can respond to a subpoena for medical records by disclosing PHI, the provider must receive satisfactory assurance from the requesting party that reasonable efforts have been made by the requesting party to ensure that the patient who is the subject of the PHI has been given notice of the request.

Under the law, a covered entity receives satisfactory assurance from the party seeking the PHI, if the covered entity receives a written statement and other documentation from the requesting party demonstrating:   

  • The party requesting the information has made a good faith attempt to provide written notice to the patient;
  • The notice included sufficient information about the litigation involving the PHI request to allow the patient to raise an objection to the court; and
  • The time for the patient to raise objections has expired, and: 
    • The patient did not file any objections; or 
    • Any patient objections were resolved by the court and the PHI being sought is consistent with that resolution.  

Seeking a Qualified Protective Order

A qualified protective order is an order from a court, or of an administrative tribunal (e.g., a Department of Labor, or a Workers Compensation Board), or a stipulation (a signed agreement) by the parties to the litigation or administrative proceeding.

The qualified order, to meet HIPAA subpoena compliance requirements, must contain language that prohibits the parties from using or disclosing the protected health information for any purpose other than the litigation or administrative proceeding that is the subject of the subpoena 

The qualified order must also, to meet HIPAA subpoena compliance requirements, require that all PHI (including all copies made) either be returned to the covered entity or be destroyed at the end of the litigation or proceeding.

See How It Works