Obtaining Medical Records With Subpoenas Attorneys Should Know The Effect Of The HIPAA Privacy Standards

New federal regulations may affect the way health care providers in Massa-chusetts respond to subpoenas for individuals’ health information. Privacy standards promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), in effect since April 14, 2003, require that a health care provider consider several factors:
• Whether the patient has authorized the disclosure of the requested health information;
• The type of information sought by the subpoena (e.g., medical records that contain certain sensitive information);
• The type of entity that receives the subpoena (e.g., a hospital or clinic that is licensed by the Department of Public Health (DPH) or some other health care provider — such as a private physician practice);
• Whether the patient whose records are sought is a party to the underlying proceeding as shown by the case caption appearing on the subpoena;
• The type of subpoena that is issued (e.g., civil deposition, civil trial); and
• Whether Massachusetts law or the privacy standards are more restrictive with respect to the release of the information. The privacy standards preempt state law unless the state law is more stringent (or, in other words, provides more protection) than the privacy standards.

Sensitive Information

Certain types of information can only be released pursuant to patient authorization or a court order. The privacy standards do not preempt existing state and federal laws requiring specific patient authorization or a specific court order for the release, for example, of HIV/AIDS testing records, certain mental health records, alcohol and drug abuse treatment records, and genetic testing records. Therefore, those health care providers who otherwise may provide patient records in response to a subpoena may not do so when the subpoena requests such “sensitive” information, unless and until patient authorization or court order is obtained.

DPH-licensed Hospitals and Clinics

Because of the interplay between state law and the privacy standards, DPH-licensed hospitals and clinics now must obtain additional information before releasing health information in response to certain subpoenas, absent patient authorization (note that the privacy standards have requirements for valid patient authorizations). Following are four examples.

1. Patient Is a Party to the Proceeding

Under Massachusetts law, the medical records of a patient held by a DPH-licensed hospital or clinic are confidential. However, hospitals or clinics are permitted to release medical records pursuant to a subpoena if the records sought are of a party named in the underlying proceeding, as shown by the case caption appearing on the subpoena. The privacy standards, by contrast, permit disclosure of protected health information pursuant to a subpoena only after additional steps are taken. The more protective provisions of the privacy standards must be followed. Therefore, if a patient is a party to the proceeding as shown by the case caption appearing on the subpoena, hospitals and clinics now must, before releasing the information, receive ‘satisfactory assurances’ from the person seeking the information that such person has made reasonable efforts to provide either notice to the patient or to obtain a qualified protective order.

2. Satisfactory Assurances Regarding Notice

According to the Privacy standards, a DPH-licensed hospital or clinic has received satisfactory assurances that reasonable efforts have been made to provide notice to the patient if the person seeking the health information provides the hospital or clinic with documentation that he or she has:
• made a good-faith attempt to provide written notice to the individual at his or her last known address;
• provided sufficient information to permit the individual to raise objections in the appropriate court within a stated period of time; and
• shown that the stated period of time to raise objections has elapsed and either no objection has been filed or all filed objections have been resolved.
Parties seeking protected health information from DPH-licensed hospitals and clinics (e.g., through a civil deposition subpoena or a trial subpoena) may provide the required notice and satisfactory assurances through written correspondence to the party whose protected health information is sought, followed by written correspondence to the hospital or clinic. DPH-licensed hospitals and clinics may wish to provide such sample letters to parties requesting protected health information in an effort to facilitate compliance with the Privacy standards.

3. Satisfactory Assurances Regarding a Protective Order

The person seeking by way of subpoena protected health information from a DPH-licensed hospital or clinic when the patient is named in the case caption has satisfied the requirement to make ‘reasonable efforts’ regarding securing a ‘qualified protective order’ if he or she has provided the hospital or clinic a written statement and accompanying documentation that:
• parties to the dispute giving rise to the request for information have agreed to a qualified protective order and have presented it to the court; or
• the person seeking the protected health information has requested a qualified protective order from the court.
Under the privacy standards, a qualified protective order is an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation that prohibits the parties from using or disclosing the health information for any purpose other than the proceeding in which it was requested, and requires the return or destruction of the protected health information at the end of the litigation or proceeding. Surprisingly, the privacy standards do not require that the requested protective order actually be obtained.

4. Patient Is Not a Party to the Proceeding as Shown by the Case Caption

If the patient is not a party to the proceeding as shown by the case caption appearing on the subpoena, the release provisions do not apply. In this context, Massachusetts law requires the DPH-licensed hospital or clinic to receive patient authorization or a court order before releasing protected health information. In this case, Massachusetts law is more protective of patient rights than are the privacy standards, and a properly executed, HIPAA-compliant patient authorization or a court order will be required.

All Other Health Care Providers

These provisions do not apply to health care providers that are not DPH-licensed hospitals or clinics. Massachusetts health care providers have a duty of confidentiality and generally must not disclose their patients’ health information without their patients’ authorization (or a court order). Massachusetts law is thus more stringent than the privacy standards, and health care providers that are not DPH-licensed hospitals or clinics must receive properly executed, HIPAA-compliant patient authorization or a court order before releasing patients’ health information.

Health care providers may need to adopt new procedures in response to the privacy standards. Obtaining appropriate patient authorization, when possible, will still be the most efficient way to obtain health information. In the absence of patient authorization, health care providers must make sure they receive the documents they need before releasing protected health information.

Mike Scully is a partner and Liz Sillin is an associate in the Health Law Practice Group at Bulkley, Richardson & Gelinas, LLP in Springfield; (413) 781-2820; mscully@bulkley.com; esillin@bulkley.com