How to handle PHI when subpoenaed

In this article, we will look into the disclosure of protected health information (PHI) by covered entities in response to legal processes such as subpoenas and discovery requests, even if the covered entity is not directly involved in the litigation. 

When is a subpoena issued to healthcare providers?

A subpoena may be issued to healthcare providers in legal proceedings to compel the disclosure of PHI. Unlike a court order issued by a judge or administrative tribunal, a subpoena is typically issued by a party involved in a legal case, such as a court clerk or an attorney. For HIPAA-covered entities to disclose PHI in response to a subpoena, they must adhere to the Privacy Rule's requirements. Before complying with the subpoena, the healthcare provider should ensure that certain conditions are met. 

See also:  Vanderbilt Medical Center under investigation for releasing transgender patient records 

What PHI could be requested?

In a subpoena issued to healthcare providers, the requested information can vary based on the nature of the legal case and the specific circumstances. Generally, the information that could be requested in a subpoena may include:

1. Patient identifying information: Names, addresses, dates of birth, and other identifying details of individuals whose records are being sought.
2. Medical records: Patient health records, including medical histories, diagnoses, treatment plans, medications, test results, and imaging reports.
3. Treatment notes: Notes and progress reports from healthcare professionals, therapists, and specialists involved in the individual's care.
4. Billing information: Invoices, statements, and billing records related to medical services provided to the individual.
5. Insurance details: Information about the individual's health insurance coverage, claims, and payments.
6. Lab results: Laboratory test results, including blood work, pathology reports, and other diagnostic tests.
7. Prescriptions: Information about prescribed medications, dosages, and instructions.
8. Consent forms: Any signed consent forms or authorization documents related to the release of medical information.
9. Correspondence: Communications between healthcare providers and the individual, including emails, letters, and other written exchanges.
10. Imaging studies: X-rays, MRIs, CT scans, and other medical imaging studies.
11. Referral documents: Referral letters or documents indicating the need for specialized medical care or consultations.
12. Expert opinions: Medical expert opinions or analyses related to the individual's condition or treatment.
13. Insurance claims: Documentation of insurance claims submitted for medical services rendered.
14. Witness testimonies: Requests for healthcare professionals to testify as witnesses in a legal proceeding.

What is satisfactory assurance?

Satisfactory assurance, within the context of a subpoena involving healthcare providers and PHI, refers to the specific requirements that must be met by the party issuing the subpoena before the covered entity can disclose PHI without the necessity of obtaining a separate court order. Satisfactory assurance entails demonstrating that the requester has taken appropriate steps to uphold patient privacy in accordance with the Privacy Rule.

See also: What are the permitted uses and disclosures of PHI?

How to ensure satisfactory assurance is met?

If the following conditions are met, the covered entity can disclose the PHI without requiring a separate court order.

1. Satisfactory assurances from the requesting party

The covered entity must receive satisfactory assurances from the party requesting the information. These assurances relate to notifying the individuals who are the subjects of the information or obtaining a qualified protective order.

2. Notification to the individual(s)

The requesting party must demonstrate that they have made reasonable efforts to provide written notice to the individual(s) whose PHI is being requested. The notice should include sufficient information about the legal proceeding to allow the individual(s) to raise objections with the court. The time for objections to be raised should have elapsed, and no objections were filed, or any objections raised were resolved in a manner consistent with the request. 

3. Documentation Requirements

The written statement and accompanying documentation from the requesting party must provide evidence of their efforts to notify the individual(s) or obtain a qualified protective order. Examples of documentation include:

• Copies of notices sent to individuals
• Proof of resolution of objections (if applicable)
• Copies of qualified protective orders
• Related court motions

4. Qualified protective order

Alternatively, the requesting party can provide documentation that a qualified protective order has been sought and secured from a court. A qualified protective order is a legal order that outlines how the disclosed PHI will be protected and used during the legal proceedings.

See also: HIPAA Compliant Email: The Definitive Guide