QUESTION: Is a subpoena from a state board of medicine treated just like any other subpoena for purposes of the Health Insurance Portability and Accountability Act (“HIPAA”)? In other words, is it true that the hospital can’t release a patient’s Protected Health Information to a state board of medicine unless it first takes certain steps, such as getting a qualified protective order from a court, or informing the patient? Thanks.
ANSWER: No, a subpoena from a state board of medicine is not treated like any other subpoena for HIPAA purposes. Protected Health Information (“PHI”) which is the subject of such a subpoena can be released to a state board of medicine without a qualified protective order or notice to the patient. HIPAA provides that PHI may be disclosed to a “health oversight agency” for “licensure or disciplinary actions” necessary for oversight of the health care system. (45 C.F.R. §164.512(d).) HIPAA also states that a state board of medicine is a “health oversight agency.” (45 C.F.R. §164.501.) That said, if certain categories of particularly sensitive information are involved (such as mental health, drug/alcohol, or HIV/AIDs), state law should be consulted to see if it offers greater protections to the information.
QUESTION: We received a subpoena from an attorney requesting the medical records of a patient. The attorney represents the plaintiff in the case, and the patient is the defendant. We are not a party to the litigation and want to comply with the subpoena, but we don’t want to violate the Health Insurance Portability and Accountability Act (“HIPAA”) either. Help!
ANSWER: The regulations implementing HIPAA (the “HIPAA Privacy Rule”) require that certain conditions be satisfied before a covered entity, in this case a hospital, may disclose medical records in response to a subpoena. Basically, these regulations require that a hospital receive “satisfactory assurances” that the patient has been notified of the subpoena and that any objections to the subpoena by the patient have been resolved. Until the hospital receives these “satisfactory assurances,” it is prohibited by federal law from disclosing the medical records.
State law may also help here. For example, the Pennsylvania Rules of Civil Procedure require a party in a lawsuit to serve a copy of a proposed subpoena on all other parties prior to issuing that subpoena to a third party (the hospital). Also, the Rules state that a party that intends to serve a subpoena on a third party (the hospital) must file a certificate showing that it has notified other parties in the lawsuit of the subpoena.
So, as required by the HIPAA Privacy Rule, a hospital, or its attorney, should request that the individual who requested the medical records provide the hospital with documentation that indicates that the patient has received notice of the subpoena, has had an opportunity to object to it, and either no objections were filed or all objections have been resolved. Once the hospital receives that documentation, it will be able to comply with the subpoena.