The Health Insurance Portability and Accountability Act ("HIPAA") Privacy Rule generally prohibits covered entities and their business associates from disclosing protected health information ("PHI") unless there is a valid written authorization or a specific exception applies (45 CFR §§ 164.500 - 164.534); and, state laws include requirements for when, how and under which circumstances PHI may be disclosed.

A failure to comply could result in fines or other penalties, including criminal. Therefore, if you maintain PHI as part of your business records, before you respond to a subpoena or request for PHI, it is essential you understand the applicable requirements.

If you receive a request for PHI that is accompanied by a written authorization, you must first determine whether the authorization is valid. Many written authorizations do not include all of the elements required under HIPAA or state law. Under HIPAA, to be valid, a written authorization must satisfy the following:

Core Elements - the authorization must contain at least the following core elements:

  1. a description of the information to be disclosed that identifies the information in a specific and meaningful fashion;
  2. the name or other specific identification of the person(s) authorized to make the requested disclosure;
  3. the name or other specific identification of the person(s) to whom the disclosure may be made;
  4. a description of each purpose of the requested disclosure;
  5. an expiration date or expiration event that relates to the individual or the purpose of the disclosure; and
  6. the individual's signature and date (if the authorization is signed by a personal representative of the individual, a description of such representative's authority must also be provided).

Required Statements - in addition to the Core Elements, the authorization must contain statements adequate to place the individual on notice of all of the following:

  1. the individual's right to revoke the authorization in writing, except to the extent action has been taken in reliance on the authorization prior to the revocation;
  2. a description of how the individual may revoke the authorization;
  3. a description of whether treatment, payment, enrollment or eligibility for benefits will be conditioned on a valid authorization. Generally health care providers may not condition the provision of health care on whether a patient signs an authorization; and
  4. PHI that is disclosed pursuant to the authorization may be re-disclosed by the recipient and no longer protected by HIPAA.

No Compound Authorizations - an authorization for the disclosure of PHI may not be combined with any other document. And, an authorization to disclose psychotherapy notes may not be combined with an authorization to disclose other types of PHI.

Authorizations must also be:

  1. complete (i.e., no blanks in required information);
  2. written in plain language; and
  3. retained for 6 years.

Instead of a written authorization, sometimes an entity that holds PHI may receive a subpoena for PHI, and there are specific requirements under HIPAA governing when a disclosure can be made pursuant to a subpoena, including:

  1. the entity disclosing the PHI must obtain satisfactory assurance from the party seeking the information that reasonable efforts have been made by such party to ensure that the individual who is the subject of the protected health information that is requested has been given notice of the request, or
  2. the entity receives satisfactory assurance from the party seeking the information that reasonable efforts have been made to secure a qualified protective order.

For purposes of (i) above, an entity receives satisfactory assurance if it receives a written statement and accompanying documentation demonstrating that:

  1. the party requesting such information has made a good faith attempt to provide written notice to the individual;
  2. the notice included sufficient information about the litigation or proceeding in which the PHI is requested to permit the individual to raise an objection to the court; and
  3. the time for the individual to raise objections to the court has elapsed, and no objections were filed, or any objections that were filed were resolved.

Satisfactory Assurance with regard to a qualified protective order includes a written statement and accompanying documentation demonstrating that the parties to the dispute have agreed to a qualified protective order and have presented it to the court, or the parting seeking the PHI has requested a qualified protective order. A Qualified Protective Order is an order of a court or stipulation of the parties that prohibits them from using or disclosing PHI for any purpose other than the litigation and requires return or destruction of the PHI at the end of the litigation.

An entity that receives a subpoena or request for PHI must also ensure they comply with state law, in addition to HIPAA. Some states have privacy laws regarding PHI that are stricter than HIPAA and the entity must ensure it complies with the strictest requirements. For example, Rhode Island has the Confidentiality of Health Care Communications and Information Act (RI Gen Laws, § 5-37.3, et. seq.). Section 5.37.3-6.1 of that Act requires a party issuing a subpoena to provide a written certification to the entity from which it is requesting information, that it served a copy of the subpoena on the individual whose records are being sought, together with a notice of the individual's right to challenge the subpoena, and twenty (20) days have passed from the date of service on the individual and within that time period the individual has not initiated a challenge. Entities disclosing PHI pursuant to a subpoena in Rhode Island must ensure this written certification is included, or they could be subject to fine and penalties for failing to comply.

HIPAA and state laws also include many other instances in which disclosure of PHI is permitted without authorization or the opportunity for the individual whose records are being disclosed to object, such as: disclosures required by law, disclosures for public health activities, disclosures about victims of abuse, neglect or domestic violence, and disclosures for law enforcement activities. Entities should also be aware that even when permitted, most disclosures must be limited to the minimum amount of information necessary to accomplish the intended purpose of the release of information. Finally, in addition to HIPAA and state laws, there are also regulations specifically applicable to records regarding drug or alcohol abuse, which can be found at 42 CFR Part 2.

If you receive a subpoena or request for PHI and are not sure whether to respond, consult with legal counsel, and if you are an entity that receives requests for PHI often, it may be in your interest to draft and require use of your own authorization form that you know complies with the law.