Close Server: KOPWWW05 | Not logged in


Subpoenas for Patient Records

Not all subpoenas are equal under HIPAA.

A recent case from the Connecticut Supreme Court exposed some of the pitfalls healthcare practitioners face in attempting to comply with subpoenas for patient records.  A physician practice in Connecticut was served with a subpoena for the records of a former patient. The physician practice provided the records to the court as directed in the subpoena. 

The patient learned later that her former boyfriend obtained the records from the court. The patient sued the physician practice for common law breach of contract and other common law negligence claims based upon the wrongful disclosure of her records.  In support of her common law claims, the patient claimed the physician practice had not complied with the Health Insurance Portability and Accountability (HIPAA) privacy regulations when disclosing her records in response to the subpoena.  Specifically, the patient claimed the practice disclosed her records without notifying her of the subpoena, and without objecting to the subpoena.

The physician practice countered the lawsuit by claiming that HIPAA did not include a private cause of action allowing patients to file lawsuits based upon the alleged wrongful disclosure of Protected Health Information (PHI).  The physician practice also argued that HIPAA preempted the former patient's common law claims so her only recourse was under the HIPAA statute and regulations.  The Connecticut Supreme Court ruled that the former patient's common law claims were not preempted by HIPAA, and that the HIPAA regulations might establish the proper standard of care for a physician practice disclosing patient records in response to a subpoena.  The whole case might have been avoided if the physician practice had complied with the HIPAA regulations in responding to the subpoena.

SEE ALSO  "Record Theft: Criminal prosecutions under HIPAA are rare, but they do exist."

We all recall from our HIPAA training that the HIPAA regulations allow a covered entity to release PHI in response to a court order, or a subpoena.  Unfortunately, the HIPAA regulation on disclosing PHI in response to a subpoena is confusing.  The title of that particular regulation is Uses and disclosures for which an authorization or opportunity to agree or object is not required.  The title implies that a covered entity may disclose PHI in response to a subpoena without the knowledge of the subject of the PHI.  In reality, the HIPAA regulation requires a covered entity to receive more than the subpoena before releasing PHI.

The HIPAA regulation requires a covered entity to receive "satisfactory assurances" that the patient has been notified of the subpoena.  Covered entities need to know what they are required to obtain as "satisfactory assurances" before providing records pursuant to a subpoena.  The term "satisfactory assurances" in the HIPAA regulation means the covered entity received a written statement and accompanying documentation with the subpoena showing that the:

  • individual seeking the PHI made a good faith attempt to provide written notice to the subject of the PHI; 
  • written notice included sufficient information about the litigation or legal proceeding in which the PHI was sought to permit the subject of the PHI to object to the disclosure of the PHI;  and
  • time for any objection to the disclosure of the PHI has passed without any objection, or the court had resolved those objections. 

If the subpoena does not include those "satisfactory assurances" then the covered entity needs to request them from the individual that served the subpoena, or the covered entity must object to the subpoena.  Unfortunately, covered entities still receive subpoenas that do not comply with the HIPAA regulation.

The HIPAA regulations may also be establishing the standard of care for disclosure of PHI.  Several states in addition to Connecticut have allowed litigants to use the HIPAA regulations to establish the standard of care for maintaining the confidentiality of PHI.  Healthcare practitioners that provide PHI in response to subpoenas that do not include the "satisfactory assurances" defined in the HIPAA regulations are exposing themselves to the potential for costly litigation with their patients and former patients.

Michael L. Smith, JD, RRT is board certified in health law by The Florida Bar and practices at The Health Law Firm in Altamonte Springs, Florida.  This article is for general information only and is not a substitute for formal legal advice.

You Might Also Like...

2015 Salary Survey of Respiratory and Sleep Professionals

Help us get to the bottom of compensation in your field.

New Grad Center

Tips and tricks to help you obtain new graduate employment

Column Compendium

Addressing the major issues in Respiratory and Sleep Medicine

Patient Education Handouts

Great educational tools for your patients

Legally Speaking Archives


Email: *

Email, first name, comment and security code are required fields; all other fields are optional. With the exception of email, any information you provide will be displayed with your comment.

First * Last
Title Field Facility
City State

Comments: *
To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the below image, reload the page to generate a new one.

Enter the security code below: *

Fields marked with an * are required.


Back to Top

© 2017 ADVANCE Healthcare, an Elite CE company