Legal disclosures: Know what the privacy rule says about responding to subpoenas
By Edward F. Shay
Health care providers and health plans routinely receive subpoenas seeking the disclosure of PHI about individuals whom they have treated or whose treatment they have paid for. HIPAA’s privacy rule sets forth specific procedures to follow when responding to a subpoena. The rules on subpoenas are particularly important because they help covered entities avoid receiving sanctions for HIPAA noncompliance or running afoul of established judicial procedure in state and federal courts.
There are several different types of subpoenas. Some subpoenas are used for investigational purposes, such as those issued by a grand jury to investigate a crime.
For example, in a recent case, the highest court for the state of New York ruled that a grand jury subpoena could not be enforced when it sought doctor-patient privileged information from 23 hospitals about treatment of individuals in emergency rooms for knife wounds. The grand jury was investigating a stabbing death, and the investigation indicated that the assailant was also wounded by a knife. The prosecutors reasoned that the assailant would have sought emergency medical attention at one of several hospitals within a reasonable distance of the crime scene. In objecting to the subpoena, the hospitals argued successfully that the information about the individuals they treated was privileged and its disclosure could not be compelled by the grand jury.
HIPAA does not change how covered entities respond to grand jury subpoenas. The privacy rule discusses grand jury subpoenas under the section on disclosures for law enforcement purposes, and the rule permits disclosure without qualifications or conditions. However, as in the case above, some providers may contest subpoenas they feel are inappropriate.
In civil lawsuits or administrative proceedings, the interplay between the privacy rule and a subpoena is more complicated, and compliance will likely prove to be far more expensive. In many civil cases, when a subpoena is issued, it is not accompanied by a court order. In these cases, the privacy rule requires covered entities to do one of the following things:
•Release the PHI set forth in the subpoena if they receive assurances that the individual who is the subject of the PHI has been notified.
•The notice must contain sufficient details about the underlying litigation to enable the subject of the PHI to raise objections to release to the court. Further, the assurances must show that the time for filing objections has passed and that the individual did not file objections or filed them and had them resolved. Otherwise, the covered entity cannot accept the assurances that the notice to the subject of the PHI was adequate.
•In the absence of assurance of adequate notice, release the PHI if it receives similar assurances from the requesting party that it has sought what the privacy rule describes as a “qualified protective order.” A qualified protective order may be obtained from the court, or by stipulation of all of the parties. Under a qualified protective order, the parties agree to use the PHI of only for the purposes of the litigation.
Under the privacy rule, the person receiving PHI under a subpoena must agree to return it or destroy it at the end of litigation.
In the event that the parties do not cooperate in providing adequate notice or in seeking a qualified protective order, the privacy rule allows the covered entity to give the notice or to seek the protective order.
Here, the standard of performance appears to be a bit lower because the privacy rule states that the covered entity must only “make reasonable efforts” to accomplish either of these objectives. In the several states where state law already requires a requesting party to give notice to a subject when issuing a subpoena for PHI, the privacy rule’s subpoena requirements will not present a significant additional burden for covered entities. In addition, some states may provide substantially more protections than those required by the privacy rule.
However, many states do not require notice to a subject, especially if the subject is not a party to the litigation. In these cases, covered entities will find that they must invest more resources, training, and legal personnel in reconciling the privacy rule to the rules of civil procedure in their state.
Covered entities in these states should design their subpoena response system to, in essence, “triage” each subpoena. They should have checklists to assess the subpoena’s adequacy and forms and procedures to make reasonable efforts to give notice to subject individuals. These forms should make the process for submitting objections clear to the subject of the PHI.
Covered entities should be able to demonstrate where, when, and to whom they sent the notice with return receipts, fax transmission sheets, etc. As a last resort, they should have an established relationship with legal counsel to assist with how and when to seek a protective order.
Like everything else under the privacy rule, the information generated in each case should be retained as part of the covered entity’s documentation to demonstrate to HHS that it complied with the requirements of the privacy rule.
Editor’s note: Edward F. Shay is a partner in the na-
tional health law practice at the Philadelphia-based law firm of Post & Schell, PC. The firm’s practice provides complex litigation, contract, medical staff, fraud and abuse, managed care, health information management, regulatory/patient care, corporate, and research related services to a broad spectrum of institutional providers and payers. Shay may be reached at .