Medical Record Subpoenas: HIPAA Violation Warning Issued

by | Mar 28, 2015

Law firm, Day Pitney LLP, has released a warning to healthcare workers to be careful when disclosing Protected Health Information, even when asked to supply medical records to attorneys under subpoena.

A Connecticut Supreme Court ruling in November 2014 allowed a negligence claim to be filed against a healthcare provider for non-compliance with HIPAA Rules in relation to the disclosure of PHI to third parties. The court ruled that HIPAA Privacy Rules cover Protected Health Information even when that information is needed by attorneys, and requested through proper legal processes.

In Connecticut at least, PHI can only be made accesible under subpoena if certain criteria are in place. The court referred the Code of Federal Regulations, 45 C.F.R. § 164.512(e)(1)(ii) , which only allows the transfer of Protected Health Information if “satisfactory assurances” have been received that the person whose medical history has been requested has received a notice of the access request.

As referred to by Susan R. Huntington of Day Pitney, in order for PHI to be made available under HIPAA Regulations, the required “satisfactory assurances“ are as follows:

  1. Written notice has to have been submitted to the individual whose PHI has been requested
  2. Sufficient information must have been supplied to allow an objection to be raised; and
  3. Sufficient time given for an objection, if any, to be filed and for it to have been resolved or for confirmation to be received that there is no objection.

There is another way under which PHI can be released, while remaining compliant with HIPAA Rules.

Huntington said that in instances where a secure and qualified protective order has been made – and provided the party seeking PHI has made “reasonable efforts” to obtain a qualified protective order, under 45 C.F.R. §165.512(e)(1)(ii)(B), “satisfactory assurances” are:

  1. The parties involved have agreed to a qualified protective order; or alternatively
  2. The party looking to obtain the PHI has already requested a qualified protective order.

Huntington suggests that for healthcare providers to be able to respond propely to subpoenas, maintain HIPAA-compliance and adequately protect the privacy of patients, the easiest step to take is to call that patient and advice them about the subpoena and simply enquire if they object to the release of their PHI.

This gives the patient the opportunity to grant or refuse the subpoena, the issue can be dealt with quickly and efficiently, and HIPAA rules governing the disclosure of PHI can be adhered to. Should the request be authorized, the PHI can be released as per the organization’s – HIPAA-compliant – procedures. If access is denied, the party requesting the information can be informed and the records not provided.

Using the Connecticut ruling as a legal precedent, attorneys would be able to begin negligence lawsuits for patients seeking damages due to the disclosure of their PHI and for the emotional distress that was caused.

The healthcare industry is currently under examination following the massive data breaches at Community Health Systems, Anthem and Premera Blue Cross. It is therefore vitally important that all healthcare organizations are aware of the rules regarding the disclosure of PHI including how, to whom, and under what circumstances, PHI can be made accessible to unauthorized individuals in order to avoid both a HIPAA penalty for non-compliance and negligence lawsuits from individuals whose PHI has been made available.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy