Medical Record Subpoenas: HIPAA Violation Warning Issued

Law firm, Day Pitney LLP, has released a warning to healthcare workers to be careful when disclosing Protected Health Information, even when asked to supply medical records to attorneys under subpoena.

A Connecticut Supreme Court ruling in November 2014 allowed a negligence claim to be filed against a healthcare provider for non-compliance with HIPAA Rules in relation to the disclosure of PHI to third parties. The court ruled that HIPAA Privacy Rules cover Protected Health Information even when that information is needed by attorneys, and requested through proper legal processes.

In Connecticut at least, PHI can only be made accesible under subpoena if certain criteria are in place. The court referred the Code of Federal Regulations, 45 C.F.R. § 164.512(e)(1)(ii) , which only allows the transfer of Protected Health Information if “satisfactory assurances” have been received that the person whose medical history has been requested has received a notice of the access request.

As referred to by Susan R. Huntington of Day Pitney, in order for PHI to be made available under HIPAA Regulations, the required “satisfactory assurances“ are as follows:

  1. Written notice has to have been submitted to the individual whose PHI has been requested
  2. Sufficient information must have been supplied to allow an objection to be raised; and
  3. Sufficient time given for an objection, if any, to be filed and for it to have been resolved or for confirmation to be received that there is no objection.

There is another way under which PHI can be released, while remaining compliant with HIPAA Rules.

Huntington said that in instances where a secure and qualified protective order has been made – and provided the party seeking PHI has made “reasonable efforts” to obtain a qualified protective order, under 45 C.F.R. §165.512(e)(1)(ii)(B), “satisfactory assurances” are:

  1. The parties involved have agreed to a qualified protective order; or alternatively
  2. The party looking to obtain the PHI has already requested a qualified protective order.

Huntington suggests that for healthcare providers to be able to respond propely to subpoenas, maintain HIPAA-compliance and adequately protect the privacy of patients, the easiest step to take is to call that patient and advice them about the subpoena and simply enquire if they object to the release of their PHI.

This gives the patient the opportunity to grant or refuse the subpoena, the issue can be dealt with quickly and efficiently, and HIPAA rules governing the disclosure of PHI can be adhered to. Should the request be authorized, the PHI can be released as per the organization’s – HIPAA-compliant – procedures. If access is denied, the party requesting the information can be informed and the records not provided.

Using the Connecticut ruling as a legal precedent, attorneys would be able to begin negligence lawsuits for patients seeking damages due to the disclosure of their PHI and for the emotional distress that was caused.

The healthcare industry is currently under examination following the massive data breaches at Community Health Systems, Anthem and Premera Blue Cross. It is therefore vitally important that all healthcare organizations are aware of the rules regarding the disclosure of PHI including how, to whom, and under what circumstances, PHI can be made accessible to unauthorized individuals in order to avoid both a HIPAA penalty for non-compliance and negligence lawsuits from individuals whose PHI has been made available.