Serving Subpoenas on Health Care Providers Covered by HIPAA
Adopted: July 25, 2014
Opinion rules that a lawyer may send a subpoena for medical records to an entity covered by HIPAA without providing the assurances necessary for the entity to comply with the subpoena as set out in 45 C.F.R. §164.512(e)(ii).
Introduction:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the US Department of Health and Human Services (USDHHS) to establish a set of national standards for the protection of certain health information including identifiable medical records of individual patients. Pursuant to this mandate, the USDHHS issued Standards for Privacy of Individually Identifiable Health Information (the Privacy Rule), which established national standards for the protection of protected health information. The Privacy Rule applies to any health care provider who transmits health information in electronic form in connection with certain specified transactions.1
At issue in this inquiry is 45 C.F.R. §164.512(e) of the Privacy Rule, which pertains to disclosure of protected health information in judicial and administrative proceedings. Pursuant to 45 C.F.R. §164.512(e), covered entities may disclose protected health information in a judicial or administrative proceeding if the request for the information is in response to an order from a court or administrative tribunal. Such information may also be disclosed in response to a subpoena or other lawful process if certain assurances regarding notice to the individual or a protective order are provided. Specifically, a covered entity may disclose protected health information if the covered entity receives satisfactory assurance from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is the subject of the requested protected health information was given notice of the request, or the covered entity received satisfactory assurance from the party seeking the information that reasonable efforts were made by such party to secure a qualified protective order. 45 C.F.R. §164.512(e)(1)(ii)(2013).
However, 45 C.F.R. §164.512(e)(1)(vi) allows a covered entity to disclose protected health information in response to a subpoena without receiving satisfactory assurance from the requesting party if the covered entity itself makes reasonable efforts to provide notice to the individual or to seek a qualified protective order.
Inquiry #1:
May a lawyer send a subpoena to an entity covered by HIPAA and demand compliance without providing the assurances set out in 45 C.F.R. §164.512(e)(ii)?
Opinion #1:
Yes, assuming the subpoena complies with the Rules of Civil Procedure.
As a matter of professional courtesy, if the lawyer does not provide the necessary assurances set out in the Privacy Rule, the lawyer may include a letter with the subpoena alerting the entity that certain health information may be subject to state and/or federal privacy laws and informing the entity that it may delay compliance with the subpoena for a reasonable amount of time to comply with any applicable privacy laws. See Rule 1.2(a)(2) (lawyer does not violate rules by treating others with courtesy). In addition to being a matter of professional courtesy, it may be in the client’s best interest to seek compliance with federal and state privacy laws to avoid subsequent objections to the disclosure of the produced materials that may cause delay, additional expense, or prohibit the use of the produced materials.
Inquiry #2:
Would the response to Inquiry #1 be different if the health care provider receiving the subpoena is also a client of the lawyer’s firm in an unrelated matter?
Opinion #2:
Assuming that the client seeking the medical records and the provider/client have the same interest in seeing that the medical records are produced in accordance with applicable law, the lawyer serving the subpoena may, with the informed consent confirmed in writing of both clients, provide advice to the provider/client relative to the requirements of the various privacy rules and may give the provider/client a reasonable amount of time to comply.
If the lawyer provides advice to the provider/client relative to the subpoena and a conflict arises pertaining to the subpoena (i.e., provider/client desires to quash the subpoena or, upon the provider/client’s failure to respond to the subpoena, the client seeking the medical records is required to file a motion to compel or a motion for sanctions), the lawyer may not represent either the client seeking the records or the provider/client relative to the enforcement of the subpoena, unless both clients give their informed consent confirmed in writing.