Clarification of HIPAA Rules for Medical Record Subpoenas

The Health Insurance Portability and Accountability Act lays down a number of rules and regulations regarding the storage, use and disclosure of Protected Health Information (PHI); however there is a potential issue that has come to light recently regarding the HIPAA rules for medical record subpoenas.

When presented with a subpoena to release the Protected Health Information of patients to an attorney or third party, covered entities must check to make sure that the patient in question has been informed of the request for medical record access or they risk a HIPAA violation. The confusion over HIPAA rules for medical record subpoenas is likely to lead to violations of the Privacy Rule and could trigger civil action lawsuits to recover damages by patients who believe their privacy has been violated.

Warning Issued About HIPAA Rules for Medical Record Subpoenas

Day Pitney LLP – a Boston-based law firm – has recently issued a warning to covered entities regarding medical record subpoenas to help clear up confusion on the matter. The advice was deemed necessary following last year’s Connecticut Supreme Court decision to allow a negligence claim to be filed against a healthcare provider for a breach of HIPPA Rules relating to the unauthorized disclosure of PHI.

The court determined that healthcare organizations are not required to provide copies of PHI, even when requested to do so by a lawyer brandishing a subpoena. In the Connecticut case, the court cited a HIPAA regulation that requires “satisfactory assurances” to be provided that the person whose records are demanded by the subpoena has been notified and informed of the legal request for the healthcare provider to disclose their medical records.

Patient privacy must be respected at all times, and in cases such as this the patient must be given the opportunity to raise an objection, and sufficient time must be allowed for that process to take place. In order for that to happen the patient must first be notified of the request in writing. If no response is received in a reasonable amount of time, it can be considered to mean that there is no objection and the information can be released.

Susan R. Huntington, an attorney at Day Pitney LLP, offered some simple advice that can cut out a lot of the bureaucracy and can usually resolve the matter very swiftly. She says that when presented with a subpoena for medical records, the easiest way for a covered entity to remain HIPAA-compliant is to contact the patient by telephone to make sure they are aware of the data access request.

The patient can then be asked if they have any objection to the healthcare provider honoring the subpoena and releasing the medical records. If access is granted, the records can be provided. If an objection is raised, access to the records should be denied.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of