Part 7: Subpoenas and HIPAA

July 31, 2019

Med Mal 101: Back to Basics is 12-part series produced by Friday, Eldredge & Clark. Written by the attorneys in the Medical Malpractice Group, the content is designed to give physicians and other healthcare providers information they need to know about malpractice litigation.


The Health Insurance Portability and Accountability Act of 1996, (HIPAA) protects an individual’s personal health information (PHI) from unlawful disclosure.[1] When served with a subpoena to provide medical records, a medical care provider must take care to properly honor the subpoena, while also avoiding unlawful disclosure of personal health information.

A subpoena alone may be insufficient to allow disclosure of PHI. Therefore, in most cases, a subpoena for medical records will also include a HIPAA compliant medical authorization signed by the patient. If a subpoena requests medical records and permission from the patient is not clear, it is best to contact an attorney prior to disclosure of records to ensure HIPAA compliance. 

A HIPAA-covered provider may disclose information to a party issuing a subpoena only if the notification requirements of the Privacy Rule[2] are met. Before responding to the subpoena, the provider or plan must receive “satisfactory assurances” that certain steps have been taken to protect the patient’s privacy.[3] 

Under the statute, a covered entity receives “satisfactory assurances” when the party issuing the subpoena provides a written statement and accompanying documentation demonstrating that:

  1. the party requesting such information made a good faith attempt to provide written notice to the individual;
  2. the notice included sufficient information about the litigation or proceeding in which the protected health information is requested to permit the individual to raise an objection to the court; and
  3. the time for the individual to raise objections has elapsed,[4] and either no objections were filed or the court has already resolved any objections that were raised.[5] 

The statute also describes what a qualified protective order requires. The protective order must have been issued by order of a court or of an administrative tribunal, or by stipulation of the parties to the litigation or administrative proceeding.[6] A qualified protective order prohibits parties from using or disclosing protected health information for any purpose other than the litigation or proceeding for which such information was requested and requires the return to the covered entity or destruction of the protective health information, including all copies made, at the conclusion of the litigation or proceeding.[7]  

Next month, we will address the discovery process in medical malpractice cases. 

[1] https://www.hhs.gov/hipaa/for-professionals/privacy/index.html

[2] See 45 C.F.R. § 164.512(e).

[3] See 45 C.F.R. § 164.512(e); see also https://www.hhs.gov/hipaa/for-individuals/court-orders-subpoenas/index.html.

[4] For more information on time to respond, see Part 6 of our MedMal 101 series.

[5] See 45 C.F.R. § 164.512(e)(1)(iii).

[6] See 45 C.F.R. § 164.512(e)(1)(v).

[7] See 45 C.F.R. § 164.512(e)(1)(v)(A)-(B).

The information was written by the attorneys in the Medical Malpractice Group at Friday, Eldredge & Clark, LLP. This is not a substitute for legal advice and should be considered for general guidance only. For more information or if you have further questions, please contact one of our Medical Malpractice Attorneys.

The 12-month series will include the following topics: