January 15, 2026

Posted on by Courtney Patterson

QUESTION:
We received a subpoena from an attorney requesting the medical records of a patient.  The attorney represents the plaintiff in the case, and the patient is the defendant.  We are not a party to the litigation and want to comply with the subpoena, but we don’t want to violate the Health Insurance Portability and Accountability Act (“HIPAA”) either.  Help!

ANSWER FROM HORTYSPRINGER ATTORNEY NICHOLAS CALABRESE:
Basically, there are three types of subpoenas – (1) a witness subpoena (requires an individual or entity to appear in court); (2) a deposition subpoena (requires an individual or entity to provide records or appear at a deposition); and (3) a subpoena duces tecum (requires an individual or entity to provide copies of records and/or attend a court hearing). In most cases, when a hospital is not a party to a lawsuit, it will receive a subpoena duces tecum.

Disclosing information under these circumstances is covered under the HIPAA Privacy Rule regulations at 45 CFR § 164.512(e) “Disclosures for judicial and administrative proceedings.”  The regulations require that certain conditions be satisfied before a covered entity, in this case a hospital, may disclose medical records in response to a subpoena duces tecum.

A subpoena duces tecum can be signed by a judge, but is usually signed by an attorney.  If it has been signed by a judge, the hospital can release the medical records as long as it discloses only the Protected Health Information (“PHI”) authorized by the judge.  If it has been signed by an attorney, as in this case, there is a different process.  Basically, if signed by an attorney, the regulations require that a hospital receive “satisfactory assurances” from the attorney that: (1) reasonable efforts have been made to notify the patient of the subpoena and that the patient had no objections to the subpoena, or that any objections to the subpoena by the patient have been resolved; or (2) reasonable efforts have been made by the attorney to secure a qualified protective order (a court order limiting the use, disclosure, and storage of information solely to a specific lawsuit, ensuring its return or destruction after the case ends).  Until the hospital receives either of these “satisfactory assurances,” it is prohibited by federal law from disclosing the medical records.

Our most important piece of advice in this instance?  If you receive a subpoena, please involve legal counsel as early and often as possible.

If you have a quick question about this, e-mail Nick Calabrese at ncalabrese@hortyspringer.com.