Contact Us: 844-466-7225

HIPAA Rules for Responding to Requests for PHI (Protected Health Information)

June 22, 2017

Under HIPAA, a subpoena that is not accompanied by an order from a court or administrative agency does not allow the clinic to release medical records unless certain conditions are met.

There are three primary sets of conditions that allow a Clinic to release medical records in response to a subpoena, which we discuss in this article.

1. A Clinic can honor a subpoena for medical records that is not accompanied by an order if it receives “satisfactory assurance” from the party seeking the information that reasonable efforts have been made to give the individual whose records are being sought notice of the request.

For the “satisfactory assurances” criterion to be met, the Clinic must receive from the party serving the subpoena a written statement and accompanying documentation demonstrating that (a) the party requesting the information has made a good faith attempt to provide written notice to the individual; (b) the notice included sufficient information about the litigation or proceeding in which the information is requested to permit the individual to raise an objection; and (c) the time for the individual to raise objections has elapsed and either (i) no objections were filed or (ii) all objections were resolved by the court and the disclosures sought are consistent with that resolution.

Some states, including Pennsylvania, have a required subpoena procedure that will typically satisfy those requirements. Specifically, the procedure requires a party who wants to issue a subpoena to notify the opposing party in advance. The opposing party then has the opportunity, within a prescribed period of time, to ask the Court to prohibit the subpoena. The Court must rule on any objections before the subpoena can be sent to you. Alternatively, if the opposing party doesn’t object within that period, he or she is assumed to not be opposing the subpoena. Compliance with those procedures will normally satisfy HIPAA’s requirements. Federal courts do not have a procedure of this kind. It is important to know your state’s laws governing subpoenas.

If the Clinic is located in a state with this type of procedure, the Clinic must review the subpoena materials to determine whether they satisfy the requirements of (a), (b), and (c) above. If the materials do not do so, you should contact the law firm or medical records collection company that served the subpoena and ask them to confirm in writing, including via email, that all prerequisites for service of the subpoena upon the Clinic were met; in particular that either the patient filed no objection or the court overruled those objections. Place that confirmation in the patient’s file. IF YOU CANNOT OBTAIN THIS ASSURANCE, YOU SHOULD NOT PRODUCE THE RECORDS. INSTEAD, YOU SHOULD RESPOND BY STATING IN SUM AND SUBSTANCE THAT THE SUBPOENA DOES NOT SATISFY HIPAA’S RULES FOR RELEASE OF PROTECTED HEALTH INFORMATION.

Note that this procedure works best when, as is commonly the case, the person to whom the records relate is a party to the lawsuit. If that is not the case, a subpoena, even if issued under the circumstances described, is likely not sufficient to release documents because the patient has not had an opportunity to object. That is so because the patient will often not be part of the subpoena process. This will depend upon the procedures applicable in your state.

IF EITHER YOUR STATE ALLOWS SERVICE OF SUBPOENAS WITHOUT A PROCEDURE OF THIS TYPE OR THE CLINIC HAS NOT RECEIVED SATISFACTORY ASSURANCES THAT NOTICE REQUIREMENTS ABOVE HAVE BEEN MET, THE CLINIC CANNOT PROVIDE RECORDS IN RESPONSE TO THE SUBPOENA, UNLESS THE SUBPOENA COMPLIES WITH EXCEPTIONS 2 OR 3 BELOW.

2. A Clinic can also honor a subpoena that is not accompanied by an order if it receives “satisfactory assurances” from the party seeking the information that reasonable efforts have been made by that party to obtain a “qualified protective order.”

In this context, “satisfactory assurances,” means that the Clinic must receive from the party serving the subpoena a written statement and accompanying documentation demonstrating that either: (a) the parties have agreed to a protective order and presented it to the court or administrative body; or (b) the party serving the subpoena has requested a protective order from the court or administrative tribunal.

The other requirement – a “qualified protective order” – means an order or stipulation that: (a) prohibits the parties from using or disclosing the medical information for any purpose other than the litigation or proceeding for which the information was requested; and (b) requires the records to be returned to the Clinic or destroyed at the end of the litigation.

3. The Clinic can itself take steps to seek a qualified protective order as described above or it can contact the patient. WE DO NOT ADVISE DOING THIS BECAUSE IT PLACES THE BURDEN ON THE CLINIC RATHER THAN WHERE IT BELONGS — ON THE PARTIES TO THE LITIGATION.

This content from Claims Rx

Filed under: Practice Management, Privacy & HIPAA, Best Practices, Practice Manager, Physician

 Topics 

 Specialties 

Interested in NORCAL Group?

Contact Your Agent/Broker or call 844.4NORCAL today