Insight Responding to Subpoenas

Health care providers who receive a subpoena requiring the disclosure of patient information may struggle between a rock and hard place: if they produce information in violation of HIPAA privacy rules, they face HIPAA penalties; if they fail to respond to the subpoena, they may be subject to contempt sanctions. This Client Alert summarizes the steps to avoid liability on either side.

Valid Subpoenas. A subpoena is a court or administrative order that requires the health care provider to testify at a specified time and location. A subpoena duces tecum requires the provider to produce documents or other items at the specified time and place. A subpoena may be issued by a court (e.g., a federal or Idaho district court) or an administrative agency (e.g., CMS, Health and Welfare, or the Board of Medicine). A subpoena issued in a court proceeding may be signed by a judge, magistrate, court clerk, prosecutors, or attorney. A subpoena issued in an administrative proceeding may be signed by an administrative officer. To be enforceable, the subpoena must be issued by a court or administrative agency with jurisdiction over the provider. For providers in Idaho, that generally means that a judicial subpoena must be issued by the United States District Court of Idaho or an Idaho state court; courts outside Idaho generally have no jurisdiction over health care providers in Idaho and cannot enforce subpoenas served in Idaho, except in certain federal cases. For administrative proceedings, the subpoena generally must be issued by an Idaho or United States agency; however, if the provider is licensed by or participates in programs run by an agency from another state, the agency may be able to take action against the provider’s license or participation in the program in the other state if the provider fails to comply with the subpoena. The requirements for responding to judicial subpoenas are generally set forth in relevant court rules, e.g., Idaho Rules of Civil Procedure, Rule 45; Idaho Criminal Rules, Rule 17; Federal Rules of Civil Procedure, Rule 45; and Federal Rules of Criminal Procedure, Rule 17. If you have questions concerning the validity or enforceability of a subpoena, contact your attorney.

HIPAA Limitations. The HIPAA privacy rules generally prohibit health care providers from disclosing protected health information (“PHI”) unless a regulatory exception applies. (45 C.F.R. § 164.502) HIPAA contains exceptions for responding to subpoenas, but the rules differ depending on the type of subpoena that is issued.

1. Order, Warrant or Subpoena Signed by Judge. If a provider receives an order, warrant, or subpoena signed by a judge, magistrate, or administrative tribunal with jurisdiction over the provider, the health care provider should comply with the order, warrant, or subpoena. (45 C.F.R. § 164.512(e)(1)(i), (f)(1)). In such cases, HIPAA presumes that the patient’s privacy interests are protected because an independent judicial or administrative officer has considered and ordered the disclosure. Health care providers should strictly comply with the order, warrant or subpoena in these cases: they should only disclose the PHI required by the order, warrant or subpoena at the time and place set forth in the order, warrant or subpoena. They should not disclose more PHI than is ordered, nor should they disclose PHI outside the proceeding at which the disclosure is ordered. If the provider objects to the propriety or scope of the order, warrant or subpoena, they should petition the court or administrative tribunal to quash or modify the order, warrant or subpoena.

2. Grand Jury Subpoena. If the subpoena is issued by a grand jury, the health care provider may comply with the subpoena. (45 C.F.R. § 164.512(f)(1)(ii)(B)). A grand jury subpoena will specify that it is issued by or in a grand jury proceeding. Grand jury proceedings are closed to the public and information provided in the proceeding is kept confidential. Because the information is kept confidential, HIPAA presumes that the patient’s privacy interests are protected and, therefore, allows PHI to be produced in response to a grand jury subpoena.

3. Administrative Demand. A provider may respond to an administrative subpoena, summons, or investigative demand authorized by law if the administrative agent confirms (1) the PHI sought is relevant and material to a legitimate law enforcement inquiry; (2) the request is specific and limited in scope to the extent reasonably practicable in light of the purpose for the demand; and (3) de-identified information could not reasonably be used. (45 C.F.R. § 164.512(f)(1)(ii)(C)).

4. Subpoena Signed by Clerk or Attorney. Most subpoenas are issued and signed by the court clerk, a prosecutor, or an attorney acting as an officer of the court. These subpoenas do not contain the same inherent privacy protections as those that are issued by a judge, magistrate, or grand jury. Accordingly, HIPAA only allows a health care provider to disclose PHI in response to such a subpoena if one of the following conditions is satisfied:

• Satisfactory written assurances. The provider may disclose PHI if the subpoena is accompanied by a written statement from the party issuing the subpoena that (1) the party has made reasonable good faith efforts to notify the patient in writing of the subpoena; (2) the notice included sufficient detail to permit the patient to object to the subpoena in court; and (3) the time for the patient to object to the subpoena has lapsed and either no objections were filed or the court has overruled the objections. (45 C.F.R. § 164.512(e)(1)(ii)-(iii)). The Office of Civil Rights (“OCR”) has stated that a copy of the subpoena itself may satisfy these requirements if, for example, the subpoena itself confirms: (1) the patient is a party to the litigation; (2) a copy of the subpoena was served on the patient or the patient’s attorney; and (3) the time for the individual to raise objections has elapsed and no objections were filed or all objections have been resolved against the patient.
• Qualified protective order. Alternatively, the provider may disclose the PHI if the subpoena is accompanied by a written statement from the party issuing the subpoena that either (1) the parties to the proceeding have agreed to a protective order that maintains the confidentiality of the information to be produced, or (2) the party issuing the subpoena has requested such a protective order from the court. (45 C.F.R. § 164.512(e)(1)(ii), (iv), (v)).
• Health care provider notifies the patient or obtains protective order. Alternatively, the provider may disclose the PHI if the provider (1) makes reasonable efforts to notify the patient (or the patient’s lawyer) in writing of the subpoena; (2) the notice includes sufficient detail to permit the patient to object to the subpoena in court; and (3) the patient fails quash or modify the subpoena and notify the provider of same. This is often the most efficient and effective manner for complying with HIPAA when faced with a subpoena. Alternatively, the provider may disclose the information if the provider obtains its own protective order that maintains the confidentiality of the information. (45 C.F.R. § 164.512(e)(1)(vi)).

Net Effect. The net effect of these rules is that, in the case of a subpoena signed by the clerk, prosecutor, or attorney, health care providers must do one of the following in response to the subpoena; thay cannot simply ignore a valid subpoena:

• Require satisfactory written assurances, a valid authorization, or other HIPAA exception. The health care provider may contact the party issuing the subpoena and explain that HIPAA prevents disclosure pursuant to the subpoena unless the subpoena is accompanied by the satisfactory written assurances or a qualified protective order as described above. Alternatively, the provider may respond to the subpoena if the party issuing the subpoena provides a valid HIPAA authorization that complies with 45 C.F.R. § 164.508 (see my August 2006 Client Alert, Is Your HIPAA Authorization Valid?), or identifies another applicable HIPAA exception that would allow the disclosure required by the subpoena, e.g., one of the other regulatory exceptions listed in 45 C.F.R. § 164.512. The provider should not assume, however, that simply providing such notice to the party issuing the subpoena excuses the provider from complying with the subpoena. In federal civil cases in which documents are requested, sending a written objection to the party issuing the subpoena places the burden on the party issuing the subpoena to obtain a court order to compel production. (Fed. R. Civ. Proc. 45(c)(2)(B)). That is not the case in Idaho state court or other federal cases. In most circumstances, the party objecting to a subpoena generally has the burden to file a motion to quash the subpoena before they may refuse to comply; a provider who simply chooses not to reply to the subpoena faces the risk of contempt sanctions. Accordingly, the provider should (1) ensure that the party issuing the subpoena agrees that the provider will not be required to respond to the subpoena until the satisfactory written assurances, valid authorization, or other HIPAA exception have been provided, and (2) the provider should document the agreement in a confirming letter. If the party issuing the subpoena refuses to agree, the provider should consider other alternatives described below.
• Notify the patient yourself. If the party issuing the subpoena refuses to provide the written assurances, it is often easiest for the provider to simply notify the patient of the subpoena, thereby satisfying 45 C.F.R. § 164.512(e)(1)(vi). When doing so, the provider should send the patient a copy of the subpoena and explain in writing that the provider must respond at the date and time specified in the subpoena unless the patient (1) successfully quashes or has the subpoena withdrawn, and (2) notifies the provider of that fact prior to the response date. By notifying the patient, the provider essentially shifts the burden to the patient to take appropriate steps to protect his or her own information if they want it protected. If the patient fails to respond, quash, or have the subpoena withdrawn prior to the response date, then the provider my disclose the information per 45 C.F.R. § 164.512(e)(1)(vi)).
• Move to quash the subpoena or obtain a qualified protective order. If the party issuing the subpoena refuses to provide the written assurances or otherwise comply with HIPAA, the provider may move to quash the subpoena or obtain a qualified protective order per 45 C.F.R. § 164.512(e)(1)(v)); however, that approach requires the provider to formally appear in the court proceedings and file a written motion. In most cases, that approach is simply not cost effective, so the provider will take one of the other actions.
• Respond and assert the HIPAA objection. Alternatively, if the health care provider so chooses, the provider may simply show up at the date and time stated in the subpoena and, when asked to disclose PHI, object to disclosure based on HIPAA. In such cases, the provider should explain that HIPAA prevents disclosure per the subpoena unless the party issuing the subpoena has provided the satisfactory assurances or requested a qualified protective order as required by 45 C.F.R. § 164.512(e)(1)(ii). If a judge is present, the provider may then ask the judge if the judge is ordering disclosure. In most cases, the judge will order the disclosure, and the provider may disclose such information per 45 C.F.R. § 164.512(e)(1)(i)). By doing so, the provider has complied with its obligation to protect the patient’s PHI.
• File records with court. Finally, Idaho Code § 9-420 creates a process whereby hospitals may respond to a subpoena duces tecum in an Idaho case by filing the requested records under seal with the court rather than appearing or testifying at a hearing. To invoke the process, the hospital must satisfy certain conditions set forth in the statute, including filing a custodian of records affidavit and a board resolution designating the custodian of records, and providing notice to the parties to the court action. The party issuing the subpoena may avoid this statutory alternative by including a statement in the subpoena that filing the records per § 9-420 will not satisfy the subpoena. An argument may be made that HIPAA preempts and disallows § 9-420; however, it is unlikely that argument would be advanced. The § 9-420 process is not available in federal cases. In most cases, it may be easier for a provider simply to notify the patient of the subpoena as described above (thereby satisfying HIPAA), then produce the information as required in the subpoena.

Charges for Records or Costs of Responding. Most rules permit a provider to recover its reasonable costs in responding to a subpoena, but they do not expressly condition compliance with the subpoena on prepayment of the charges. (See, e.g., Idaho R. Civ. Proc. 45(d); compare Fed. R. Civ. Proc. 45 (if party objects to production of documents because of undue burden, the party issuing subpoena must seek an order to compel). Accordingly, a health care provider may reasonably demand payment before the records are produced. In most cases, the party issuing the subpoena will pay the reasonable charges. However, if prepayment is not made, the provider should not refuse to comply with the subpoena unless the court has expressly conditioned compliance on prepayment; otherwise, the failure to comply with the subpoena may subject to the provider to contempt sanctions. Instead, the provider should either petition the court for an order requiring payment before compliance is due, or file a motion to compel payment after complying with the subpoena. In addition or alternatively, the provider may pursue its costs under a contract or unjust enrichment theory if the costs of responding are worth the time and expense.

Conclusion. HIPAA still applies even though a subpoena has been issued. By following the steps outlined above, providers can comply with both HIPAA and the subpoena.

If you have questions about these or other legal issues, please contact a member of our Health Law group at call 208.344.6000.