Healthcare providers and other HIPAA covered entities receive requests for protected health information (“PHI”) from a variety of sources on a daily basis. Such requests can range from informal requests made during the course of conversation with a patient or family member, to written requests or demands served by law enforcement personnel or through a formal legal process. For more common requests, such as when a patient requests access to his or her PHI, covered entities typically have established procedures for documenting the request and responding in a manner that complies with HIPAA and applicable state laws. Although requests for PHI in the form of subpoenas, requests for production and other legal documents may be less common, it is no less important for covered entities to know what is (and is not) required of them in responding to such requests.
The general principle under HIPAA is that covered entities may use or disclose PHI only as permitted or required under the HIPAA Privacy Rule or as authorized in writing by the patient (or his/her personal representative) who is the subject of the PHI. HIPAA contains various exceptions to this general principle that provide the boundaries within which PHI may be used or disclosed in specific situations. In the context of litigation or other legal proceedings, if a covered entity is a party to the proceeding, the covered entity is generally permitted (with certain exceptions and limitations) to use or disclose PHI for purposes of the proceeding as part of the covered entity’s healthcare operations. It is often the case, however, that covered entities receive requests or demands for PHI in relation to legal proceedings to which they are not parties. In those situations, if the patient’s authorization cannot be obtained, HIPAA permits covered entities to disclose PHI under certain conditions. Because HIPAA distinguishes between requests that are authorized by an order of a court or administrative tribunal, and subpoenas or other requests that are not accompanied by such an order, it is crucial to make this determination from the face of the documents received.
Judicial and Administrative Proceedings: Disclosures Pursuant to Court Order
HIPAA permits covered entities to disclose PHI in the course of any judicial or administrative proceeding “in response to an order of a court or administrative tribunal, provided that the covered entity discloses only the protected health information expressly authorized by such order.” See 45 C.F.R. 164.512(e)(1). A court order may require production of Tom Smith’s medical records from January 1, 2000-December 31, 2000, for example. In responding to such an order, the covered entity must be attentive to the language on the face of the order and ensure that it limits disclosure of PHI only to what is specified in the order. Only Tom Smith’s medical records should be produced, but production should include his full medical records from the year 2000. The covered entity must fully comply and respond to the order in a timely fashion or risk being held in contempt of court.
Judicial and Administrative Proceedings: Requests Not Accompanied by a Court Order
When a covered entity receives a subpoena, discovery request, or other request that is not accompanied by a court order, the covered entity must ensure that additional protections are in place before disclosing the PHI. These protections are referred to as “satisfactory assurances” and can come in the form of: (1) written assurance that good faith attempts have been made to notify the patient; or (2) written assurance that the parties have agreed to or requested a qualified protective order. See 45 C.F.R. 164.512(e)(1)(ii).
- Notice to the Patient. To allow for disclosure of the requested PHI, the covered entity may obtain a written statement and accompanying documentation from the requesting party that: (A) the party has made a good faith attempt to provide written notice to the patient; (B) the notice included sufficient information about the legal proceeding to permit the patient to raise an objection to the court; and (C) the time to object has passed, and the patient did not object or any objections have been resolved and the disclosure is consistent with such resolution. See 45 C.F.R. 164.512(e)(1)(iii).
- Qualified Protective Order. Another option that allows the covered entity to disclose the requested PHI is to obtain a written statement and accompanying documentation that the parties to the proceeding have agreed to a qualified protective order and presented it to the court or the party requesting the PHI has requested a qualified protective order from the court. The qualified protective order must prohibit the parties from using or disclosing the PHI for any purpose other than the legal proceeding and require the parties to return the PHI to the covered entity or destroy the PHI at the end of the proceeding. See 45 C.F.R. 164.512(e)(1)(iv).
A covered entity is permitted to disclose the requested PHI if, in lieu of obtaining satisfactory assurances from the requesting party, the covered entity makes reasonable efforts on its own to provide the required notice to the patient or seek the qualified protective order. See 45 C.F.R. 164.512(e)(1)(vi).
When a covered entity receives any request for PHI in the context of litigation or other legal proceedings, HIPAA should be considered at the forefront. It can be helpful to remember that, for purposes of HIPAA, disclosure in response to such requests is permitted but not required; although there may be other statutes, court rules and practical considerations that also apply and may warrant or compel disclosure. In the process of assessing its response, the covered entity should also consider whether de-identified information would be responsive to the request. De-identifying PHI, or obtaining a HIPAA-compliant authorization from the patient, can significantly reduce potential HIPAA liability exposure. If PHI must be disclosed, covered entities must make reasonable efforts to limit such PHI to the minimum necessary to accomplish the intended purpose of the request.
It can sometimes be difficult for covered entity personnel to determine whether a subpoena or other request constitutes a court order or is simply a subpoena for records. Legal documents sometimes have a tendency to look alike, and the difference can depend on who is signing the document (a judge versus an attorney, for example). Additionally, subpoenas, civil investigative demands, and similar requests that arise in judicial and administrative proceedings may also be served in the context of a law enforcement inquiry or health oversight activity. The HIPAA Privacy Rule contains specific requirements for disclosures in those contexts, so careful consideration must be given to each request to determine which HIPAA exception applies. In addition, each covered entity should have clear and compliant policies and procedures that outline the internal processes for handing responses to subpoenas and other requests for PHI. If there are questions or uncertainties that arise, covered entities should consult with an attorney who is well-versed in HIPAA and applicable state privacy laws to ensure that all applicable legal requirements are met.