HIPAA: Responding to Subpoenas, Orders, and Administrative Demands
The HIPAA privacy rules (45 CFR § 164.501 et seq.) generally prohibit healthcare providers ("Providers") from disclosing protected health information pursuant to subpoenas and other government demands unless certain conditions are satisfied. This outline summarizes HIPAA rules for responding to such demands. To the extent there is a more restrictive state or federal law that applies in a particular case, the more restrictive law will usually control.
SUBPOENA, COURT ORDER, WARRANT, OR ADMINISTRATIVE DEMAND. If a Provider receives a subpoena, court order, or warrant that requires the disclosure of protected health information, the Provider should do the following:
- If the Provider is named as a party (e.g., the plaintiff or defendant) in the action, the Provider should immediately notify its legal counsel.
- The Provider should determine if the court or agency issuing the subpoena or order has jurisdiction over the Provider. As a general rule, state courts or agencies only have jurisdiction over entities located or operating within their state. Subpoenas issued across state lines are generally unenforceable; the subpoena must be issued by a court within the state in which the Provider is located. Similarly, subpoenas issued by a federal court from another state are generally unenforceable against the Provider. If the court or agency that issued the subpoena or order does not have jurisdiction over the Provider, the Provider is not obligated to respond to the subpoena or order. If there is any question about whether the court or agency has jurisdiction, the Provider should contact its legal counsel or the entity issuing the subpoena or order to confirm its jurisdictional authority.
- If the court or agency has jurisdiction, the Provider's response will depend on the type of entity issuing the subpoena, order, warrant or demand as described below.
- Court Order, Warrant, or Subpoena Signed by a Judge or Magistrate. If the order, warrant, subpoena, or summons is issued by a court (i.e., signed by a judge or magistrate) or an administrative tribunal, the Provider should strictly comply and disclose the information expressly authorized by the order, warrant, subpoena, or demand. (45 CFR § 164.512(e)(1)(i) and (f)(1)(ii)). Failure to do so may result in fines or penalties against the Provider.
- Grand Jury Subpoena. If the subpoena is issued in a grand jury proceeding, the Provider should strictly comply with its terms. Grand jury proceedings are confidential, so HIPAA does not require additional protections. (45 CFR § 164.512(f)(1)(ii)).
- Subpoena Signed by Court Clerk, Lawyer, Prosecutor, or Other. If the subpoena or other lawful process is signed by a person other than a judge, magistrate, or administrative tribunal (e.g., it is signed by a lawyer, prosecutor, court clerk, etc.), the Provider may not disclose information unless and until it satisfies one of the following:
- The Provider should contact the patient orally or by letter, explain that the Provider has received a subpoena requiring disclosure of the patient's information, and notify the patient that the Provider is required to respond unless the patient quashes the subpoena and notifies the Provider before the deadline for responding to the subpoena. (45 CFR § 164.512(e)(1)(vi)). If the Provider does not know the current address of the patient, the Provider should send the letter and a copy of the subpoena to the patient's last known address and document the same. Once the Provider sends such notice, the burden is on the patient to quash the subpoena if he or she wants to protect the information. A sample letter is attached below.
- Alternatively, the Provider may obtain satisfactory written assurances from the entity issuing the subpoena that either: (a) the entity made a good faith attempt to give the patient written notice of the subpoena, the notice included sufficient information to permit the patient to object to the subpoena, and the time for raising objections has passed or the court ruled against the patient's objections; or (b) the parties have agreed on a protective order or the entity seeking the information has filed for a protective order. (45 C.F.R. § 164.512(e)(1)(iii)-(iv)).
- Alternatively, the Provider may obtain a valid HIPAA authorization executed by the patient. To be valid, the authorization must contain the elements and statements required by 45 CFR § 164.508.
If for some reason the Provider cannot satisfy one of the foregoing, it may not disclose protected health information, but neither may it ignore the subpoena without subjecting itself to possible contempt sanctions. The Provider may need to appear in response to the subpoena, assert an objection based on HIPAA, and wait for the court to order disclosure.
- Administrative Subpoena, Summons, or Investigative Demand. If the Provider receives an administrative subpoena, summons, investigative demand, or similar process authorized by law, the Provider may comply with the request if the issuing entity confirms: (a) the information sought is relevant and material to a legitimate law enforcement inquiry; (b) the request is specific and limited to the extent reasonably necessary for the purpose of the request; and (c) de-identified information could not reasonably be used. (45 CFR § 164.512(f)(1)(ii)).
- In rare but appropriate cases, the Provider may seek a protective order or move to quash a subpoena, order or warrant. (45 CFR § 164.512(e)). Provider personnel should contact the Provider's attorney immediately if they believe the Provider should seek a protective order or quash the subpoena.
- In all cases where disclosure is required, the Provider must ensure that it complies with the strict terms of the subpoena, including the scope of the information disclosed and the timing of disclosure. If the subpoena, order or warrant only requires disclosure of written items, the Provider should not disclose the information orally. If the subpoena requires disclosure at a specific time, the Provider should not disclose the information before the deadline without the patient's consent because doing so may deprive the patient of the opportunity to quash the subpoena.
- The Provider should maintain a copy of the subpoena, order or warrant, and document the facts of the disclosure in the Provider's disclosure log required by 45 CFR § 164.528.
WORKERS COMPENSATION. HIPAA contains a separate exception that allows a Provider to disclose information as authorized by and to the extent necessary to comply with laws relating to workers compensation. (45 CFR § 164.512(l)). The Provider should ensure they are familiar with the limits of their state's workers compensation laws, and limit the disclosure to the extent required by those laws.
PUBLIC HEALTH ACTIVITIES. Under HIPAA, a Provider may disclose protected health information to an entity authorized by law to conduct certain public health activities, e.g., to report certain communicable diseases. The Provider should ensure the disclosures satisfy the requirements in 45 CFR § 164.512(b).
HEALTH OVERSIGHT ACTIVITIES. HIPAA also permits a Provider to disclose protected health information to a health oversight agency (e.g., state licensing boards, CMS, OIG, etc.) for oversight activities authorized by law, including audits; civil, administrative, or criminal investigations; inspections; licensure or disciplinary actions; civil, administrative, or criminal proceedings or actions; or other activities necessary for appropriate oversight. The Provider must ensure that it complies with the circumstances and limitations in 45 CFR § 164.512(d).
LAW ENFORCEMENT. HIPAA contains a whole series of exceptions related to disclosures to the police or other law enforcement agencies. (45 CFR § 164.512(f)). We will address those rules in a separate Healthcare Update.
NONCOMPLIANT REQUESTS. If a Provider receives a request for protected health information that does not fit within a HIPAA exception (including the exceptions identified above), it may want to respond by sending an appropriate letter explaining its obligations under HIPAA. A sample letter is attached below.
OTHER LIMITATIONS. When evaluating the foregoing disclosures, Providers should consider whether other laws in addition to HIPAA limit disclosures, e.g., limits on disclosures for drug or alcohol treatment records (e.g., 42 CFR part 2), attorney-client privilege; peer review privilege; etc. Remember: to the extent a state law is more restrictive than HIPAA, Providers are generally required to comply with the more restrictive law.
Sample Letter to Patient Who Is the Subject of a Subpoena
Sample Response to Request for Protected Health Information
For questions regarding this update, please contact
Kim C. Stanger
Holland & Hart, U.S. Bank Plaza, 101 S. Capitol Boulevard, Suite 1400, Boise, ID 83702-7714
email: email@example.com, phone: 208-383-3913
This news update is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This news update is not intended to create an attorney-client relationship between you and Holland & Hart LLP. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.