Taking the Fear out of Responding to Subpoenas for Medical Records

A subpoena is a request for the production of documents or a request to appear in court. A subpoena may be issued by the clerk of court or by an attorney.

There are two general types of subpoenas, each of which should be handled with care:

• Subpoena for documents–often called a “subpoena duces tecum”
• Subpoena to appear for a deposition (i.e., testimony)

Specific examples of subpoenas issued to medical providers include:

• Administrative subpoena
• Workers’ compensation subpoena
• Coroners’ subpoena
• Criminal subpoena

These recommendations address the subpoena for documents, which is the most common type of subpoena sent to a physician’s office. This type of subpoena is commonly used in civil cases for the production of medical records by mail or courier delivery; however, it can also be used to require a person to deliver the records to a deposition or court proceeding. The subpoena must include documentation that the patient (consumer) received notification that the records are being subpoenaed. There should be either a written authorization for the release of the medical records subpoenaed or a proof of service on the patient.

Medical Professional Liability Risks

Confidentiality laws, such as the federal Health Insurance Portability and Accountability Act (HIPAA), protect patient health information against unlawful disclosure. Disclosure of medical information in violation of the law(s) can subject healthcare providers to penalties and civil damages (e.g., compensatory damages, punitive damages, and attorneys’ fees) for breach of confidentiality. Generally speaking, releasing medical information pursuant to a valid subpoena from a state court is a lawful disclosure and is not considered a breach of the confidentiality rules mentioned above; however, absent a court order, there must be evidence that the patient has been notified of the subpoena. Practices that implement risk management measures to ensure that proper procedures are followed when processing subpoena requests can minimize liability related to unlawful disclosure and breach of confidentiality.

The subpoena will likely set forth a deadline for producing the records. Most states set a minimum number of days that must be given to comply, such as 20 days after the subpoena was served. Furthermore, most states require that you not produce the records earlier than the due date stated on the subpoena. These rules allow the patient time to quash or limit the subpoena if he or she objects to production of the requested records.

If the subpoena does not provide evidence indicating the patient has been notified, you should request a written statement and documentation from the requestor that 1) the patient has been notified and has been afforded the opportunity to respond; or 2) that a qualified protective order has been sought. Alternatively, you can obtain a HIPAA-compliant authorization form directly from the patient, after notifying the patient of the subpoena, or seek a qualified protective order. Additional guidance regarding subpoenas as related to health information privacy is available from the U.S. Department of Health and Human Services.

Release of records under a subpoena must comply with HIPAA’s privacy regulations. In this context, that means producing only those documents that are responsive to the subpoena. The subpoena should be read carefully and only those records specifically requested in the subpoena should be released.

As important as the obligation to protect patient confidentiality is, so is the obligation to respond in a timely fashion to a properly issued subpoena and to provide the information requested. Failure to respond to a valid subpoena may result in one or more penalties, including monetary sanctions, civil damages, and court costs.

Subpoenas for General Records

The rules governing subpoenas may vary depending on the type of information requested and if the subpoena was issued in a state or federal court. If a physician has any doubts about how to respond to a subpoena seeking the release of medical records, he or she should consult an attorney.

Subpoenas for Specially Protected Records

A subpoena seeking the release of general medical records is generally not sufficient authority to release genetic information, mental health, psychiatric and/or psychotherapy records, records of substance abuse treatment, or records that contain HIV/AIDS-related information. A court order may be necessary. If a physician receives a subpoena seeking the release of information in these categories, he or she should consult an attorney.

When federal and state laws differ on confidentiality, the strictest of them governs.

Determining the Validity of a Subpoena

Subpoenas come in different formats and not all subpoenas will appear identical. If you have any question as to the validity of a subpoena, consult an attorney before releasing any medical records.

There are certain distinguishing characteristics that will be included in most subpoenas. They include:

• The full name of the court or body issuing the subpoena
• The names of the parties involved in the civil proceedings
• The word “Subpoena” at or near the top of the document
• The words “you are commanded to produce…,” or similar wording
• The name of the practice or physician
• A specific date, time, and location for you to provide the requested materials
• In some cases, the penalty for non-compliance will be included

Subpoenas are usually delivered by registered mail, although they may also be hand-delivered. Accepting the subpoena does not automatically mean that you have agreed to comply with it.

Risk Management Recommendations

• Develop an office policy and procedure outlining the subpoena process.
• Assign a designated person(s) to accept any subpoena on behalf of the practice and/or physician(s).
• If the subpoena names the practice and/or physician(s) as a party, contact your medical professional liability carrier.
  • If you are concerned that your professional involvement with the patient could result in allegations making you a party to the lawsuit, or that you could be subpoenaed as a subsequent treating witness, contact your medical professional liability carrier.
• Develop a log to record receipt of the subpoena with date and time of service, name of server, and initials of receiver.
• If you have any questions about the validity of the subpoena, consult with your business or health care attorney before releasing the medical records.
• Do not release records prior to the date and time stated on the subpoena. The time limits are to allow a reasonable time for the patient to object to the subpoena and for you to produce the records.
• Maintain a copy of the subpoena in a special section of the medical record to keep a full accounting of all disclosures.
• Conduct requisite training with appropriate office staff about the regulations and process pertaining to responding to subpoenas, including the requirements for a subpoena to be valid.
• Be aware of special protections that may apply to certain types of medical information, such as genetic information, mental health, psychiatric and/or psychotherapy records, substance abuse treatment, and HIV/AIDS-related information. In certain circumstances, the physician has a duty not to submit those records.
• If you are not named as a party or cannot comply with the subpoena for any reason (e.g., the subpoena appears to be invalid, the office does not have the records being requested, or the office needs more time to compile the records), contact the attorney subpoenaing the records. Once the problem is reported and hopefully resolved by phone, follow that phone notification with a written notification explaining why you cannot comply with the subpoena and the agreement reached with the attorney.

Additional Resources

The following resources are available from the U.S. Department of Health and Human Services:

• HIPAA for Individuals–Court Orders and Subpoenas (accessed 1/11/19)
• HIPAA for Professionals—Guidance regarding subpoenas as related to health information privacy (accessed 1/11/19)

The following resources are available to NORCAL policyholders through MyACCOUNT or by contacting the NORCAL Risk Management team:

• NORCAL risk management resource: Medical Records: Access and Release
• Sample Policy and Procedure: Medical Records Subpoenas