Medical Records: Responding to Subpoenas and Investigations

Healthcare Training Resource
May 9, 2013 — 1,012 views  
Become a Bronze Member for monthly eNewsletter, articles, and white papers.

The Health Insurance Portability and Accountability Act of 1996, often shortened simply to HIPAA, is one of the most comprehensive pieces of privacy legislation passed by Congress in the last century. Because of its very strict provisions and very stiff penalties for failing to comply with privacy mandates throughout the bill, many medical professionals shy away from anything that might involve disclosure of patient health information or other private details. In the case of a subpoena, however, disclosure is often required and refusing to comply can lead to even bigger legal headaches.

Working within HIPAA, and complying with a subpoena, can be done quite easily as long as professionals know a bit about how the law handles investigations. Specific provisions within the law do allow for the disclosure of some information upon subpoena, in a limited number of cases, and these laws safeguard medical professionals from any form of retribution after the fact.

Disclosure: A Look at Protected Health Information

The key term to embrace when disclosing HIPAA-protected information in light of a subpoena is "protected health information," often abbreviated PHI. Protected health information can only be disclosed in a limited number of cases, often relating to certain kinds of subpoenas and investigations. Generally, PHI is defined as the following:

- Any information that could possibly identify the patient and their medical history or future, that is stored electronically, or on paper, or has been discussed orally with a health professional.

- Any information regarding the medical treatment of an individual, or any information relating to past, current, or future payments exchanged for medical care.

Under almost all circumstances, this information is not to be disclosed. It cannot be granted upon a mere oral request by others, and it cannot be transmitted to any professional not involved in the medical care of a patient. In the event of a subpoena, however, certain disclosures are permitted.

Subpoenaed Medical Records: How to Handle a Request While Complying with HIPAA

Under certain circumstances, it may be acceptable for a medical professional to disclose certain information that is needed due to the course of an investigation, lawsuit, or other legal proceeding. A subpoena is generally required, however, to show proof that access and transmission of such information was required. There are generally two conditions that govern and permit disclosure:

1. The patient whose records are requested authorizes that the needed medical information be released to the legal authority that issued the subpoena, or 

2. The patient's records can be released without their authorization if the legal entity requesting them can show proof that they attempted to contact the patient to obtain their authorization, but did not meet success. There must be evidence of a protective order in place, or there must be evidence that a protective order was at least attempted before the subpoena was issued.

HIPAA regulations clarify exactly what can be deemed a reasonable attempt to make contact with a patient to obtain their authorization. The same regulations govern what must be shown to prove that a protective order was either obtain or reasonably attempted by the entity that requested or issued the subpoena.

A Logical Process for the Handling of Protected Health Information

Remember that protected health information governs that which is privileged, as well as several types of information that are not usually governed under patient-physician privilege. Always err on the side of caution when assessing the information requested, the procedure required, and the proof presented. When in doubt, contact a legal professional who can more easily analyze whether information should be released or not.

Healthcare Training Resource