Practice Areas

Subpoena Does Not Trump HIPAA Requirements

By Beth A. Sebaugh, Esq.

Recently, I was contacted by a healthcare provider to assist in dealing with an attorney who had subpoenaed medical records without authorization from the patient. When the provider had requested a HIPAA-compliant authorization before releasing the records the attorney issuing the subpoena informed the provider that its HIPAA concerns were misplaced as the provider had been served with a subpoena commanding production of the records, which "comports with Rule 45 of the Ohio Rules of Civil Procedure."

General Counsel was prudently consulted and thereafter advised the "subpoena waiving" attorney of the provider's need for a HIPAA-compliant authorization or a court order to produce the records which had been subpoenaed. In response, the demanding attorney threatened a motion for sanctions inclusive of attorney fees for obtaining a court order "to compel compliance with the subpoena," if the provider failed to obey the dictates of the subpoena and continued to insist on a HIPAA-compliant authorization or a court order for the records release. Outside litigation counsel was then obtained.

A review of Civil Rule 45, which authorizes the issuance of subpoenas, clearly reflects that exceptions to the "subpoena power" exist and indeed one of the exceptions is for privileged information. Both federal and state laws bestow privileged status upon medical records. The federal HIPAA requirements demand that a medical provider receive a proper HIPAA-compliant authorization executed by the patient/resident or a legally recognized fiduciary for the patient (parent of minor, legally appointed guardian, or one holding a proper power-of-attorney for the patient) or a court order compelling the provider to produce the privileged information to a specific person. Absent receipt of the appropriate authorization or a specific court order, a medical provider may not lawfully release medical records even if presented with a subpoena for same. Moreover, when an appropriate authorization has not been presented, the provider's insistence upon receipt of a specific court order is neither a sanctionable event nor is there a requirement that the medical provider bear the expense of obtaining the court order necessary for HIPAA compliance. Rather, it is incumbent upon the individual who is attempting to obtain medical records of another without a proper authorization, to obtain a court order for the same.

As with any power bestowed by law, exercise of the same is not without limits and certainly that applies to the "subpoena power." Those who are privileged to practice law and imbued with the "subpoena power" must exercise that power consistent with applicable state and/or federal law. Disregard for HIPAA compliance or similar state privacy laws/regulations is inconsistent with both federal and state law. When it was suggested to the attorney who issued the subpoena that he more carefully review Ohio Civil Rule 45, as well as Ohio Civil Rule 11 (which addresses sanctions against attorneys), prior to wielding the power of the subpoena and threatening sanctions against a medical provider, he promptly withdrew the subpoena.

A patient's right to privacy has been given high priority in both federal and state law. Insistence upon compliance with HIPAA regulations and similar state regulations is a must for medical providers. Very few exceptions are applicable. Certainly service of a subpoena is not an exception to HIPAA compliance. If in doubt, a phone call or brief conversation with a trusted legal advisor is a prudent course of action.