Section Review

Obtaining medical records with subpoenas: The effect of the Privacy Standards

J. Michael Scully is a partner in the firm of Bulkley, Richardson and Gelinas, LLP. He is a member of the firm's Litigation/Alternative Dispute Resolution Department and Health Law Practice Group.

Elizabeth H. Sillin is an associate with the Health Law Practice Group and the Estate Planning and Administration Department at Bulkley, Richardson and Gelinas, LLP.

New federal regulations will affect the way health care providers in Massachusetts respond to subpoenas for an individual's health information. With the implementation of the Privacy Standards, promulgated under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), in effect since April 14, 2003, how a health care provider will now respond to a subpoena will depend on a number of factors:

1. Whether the patient has authorized the release of the requested health information;

2. The type of information sought by the subpoena (e.g, medical records that contain certain "sensitive"information);

3. The type of entity that receives the subpoena (i.e., a hospital or clinic that is licensed by the Department of Public Health ("DPH"), or some other health care provider - such as a private physician practice);

4. Whether the patient whose records are sought is a party to the underlying proceeding as shown by the case caption appearing on the subpoena;

5. The type of subpoena that is issued (e.g., civil deposition, civil trial subpoena); and

6. Whether Massachusetts law or the Privacy Standards are more restrictive with respect to the release of the information; the Privacy Standards preempt contrary state law unless the state law is more stringent (or, in other words, provides more protection) than the Privacy Standards.

Sensitive information

Certain types of information can only be released pursuant to patient authorization or a court order. The Privacy Standards do not preempt existing state and federal laws requiring specific patient authorization or a specific court order for the release, for example, of HIV/AIDS testing records, certain mental health records, alcohol and drug abuse treatment records and genetic testing records. Therefore, those health care providers who otherwise may provide patient records in response to a subpoena may not do so when the subpoena requests such "sensitive" information.

DPH-licensed hospitals and clinics

Because of the interplay between state law and the Privacy Standards, DPH-licensed hospitals and clinics now have to obtain additional information before releasing health information in response to certain subpoenas, absent patient authorization (note that the Privacy Standards have requirements for valid patient authorizations).

Patient is a party to the proceeding

Under Massachusetts law, the medical records of a patient held by a DPH-licensed hospital or clinic are confidential. However, G. L. c. 111, ß 70 permits DPH-licensed hospitals and clinics to release medical records pursuant to a subpoena if the records sought are of a party named in the underlying proceeding, as shown by the case caption appearing on the subpoena. The Privacy Standards, by contrast, permit disclosure of protected health information pursuant to a subpoena only if additional steps are taken before such information is released. In this case, the provisions of the Privacy Standards are more protective of patient health information than the more permissive state law and must be followed. Therefore, if a patient is a party to the proceeding as shown by the case caption appearing on the subpoena, hospitals and clinics now must, before releasing the information, receive "satisfactory assurances" from the person seeking the information that such person has made "reasonable efforts" to provide either notice to the patient or to obtain a qualified protective order.

Satisfactory assurances regarding notice

According to the Privacy Standards, a DPH-licensed hospital or clinic has received satisfactory assurances that reasonable efforts have been made to provide notice to the patient if the person seeking the health information provides the hospital or clinic with written documentation that the person has:

1. Made a good faith attempt to provide written notice to the individual at the individual's last known address;

2. Provided sufficient information to the individual to permit the individual to raise objections in the appropriate court; and

3. Shown that the time for the individual to raise objections has elapsed and either no objection has been filed or all filed objections have been resolved.

Complying with satisfactory assurances regarding notice

Civil deposition subpoenas. Under both the Massachusetts and Federal Rules of Civil Procedure, a party must provide prior notice to the opposing party of a requested deposition or a subpoena for production of documents. This prior notice would satisfy the prior written notice requirement of the Privacy Standards, but would not satisfy the other two requirements, i.e., providing sufficient information to allow the individual to object, and showing that the time for objections has passed with no objection or that objections have been resolved. In order to satisfy the other two requirements, we recommend that attorneys requesting protected health information send a cover letter to the patient's attorney, thereby providing the required notice, information, and opportunity to object to the person whose records are sought. Such a "notice" letter to Jane Doe's attorney regarding her medical records at City Hospital could say:

Attached, pursuant to Rules 30 and 45 of the Massachusetts Rules of Civil Procedure, are copies of a Notice of Deposition and a subpoena request for ___________________________ (specify documents requested in subpoena) relating to the captioned proceeding.

In accordance with the requirements of the Health Insurance Portability and Accountability Act ("HIPAA") Privacy Standards, please notify your client that these records are being sought. In addition, please notify Jane Doe that she and you have ten days from the date of this letter to raise objections to the subpoena in the court in which we have brought the proceeding. If, after ten days, I have received no notification from you that any objection has been raised, I will assume that there is no objection to this request for information, and will so notify City Hospital.

A second letter could be used to provide the keeper of records at the hospital or clinic with written notification that notice was provided to the patient, that the patient was given a reasonable time to object and that no objection was received from the patient:

In accordance with the requirements of the Health Insurance Portability and Accountability Act ("HIPAA") Privacy Standards, please see the attached copy of my letter to Jane Doe's attorney regarding our subpoena to you seeking copies of certain documents held by you pertaining to Jane Doe. The letter specifies a ten-day period in which Jane Doe may raise objections to the subpoena and requests that I be notified if such objections are being raised. The requisite ten days have passed and I have received no notice of any such objection.

Upon receipt of the second letter along with a copy of the first letter, City Hospital may release the requested health information for Jane Doe. Alternatively, City Hospital may release Jane Doe's health information pursuant to a properly executed, HIPAA-compliant, authorization form.

Other types of civil subpoenas. Other types of subpoenas to hospitals or clinics, such as trial subpoenas, do not require prior notice to the opposing party. However, the Privacy Standards still require that the hospital or clinic obtain satisfactory assurances with respect to notice to the patient or a qualified protective order. In this context, an attorney requesting John Smith's health information from City Hospital could send a letter to John Smith's attorney, stating:

Attached is a copy of my subpoena request to City Hospital for the production of documents pertaining to your client, John Smith, which I am seeking in relation to the captioned proceeding.

In accordance with the requirements of the Health Insurance Portability and Accountability Act Privacy Standards, please notify John Smith that the production of these documents is being sought. In addition, please notify Mr. Smith that he and you have ten days from the date of this letter to raise objections to the subpoena in the court in which we have brought the proceeding. If, after ten days, I have received no notification from you that any objection has been raised, I will assume that there is no objection to this request for production of documents, and will so notify City Hospital.

Upon the passage of the period of time indicated in the letter, and if Mr. Smith raises no objections, the attorney requesting health information could then send the following letter to the keeper of records at City Hospital, accompanied by a copy of the above letter:

In accordance with the requirements of the Health Insurance Portability and Accountability Act Privacy Standards, please see the attached copy of my letter to John Smith's attorney regarding my subpoena to you seeking the production of certain documents held by you pertaining to John Smith. The letter requests that Mr. Smith's attorney notify Mr. Smith of this subpoena and its request to City Hospital for these documents, specifies a ten-day period in which Mr. Smith may raise objections to the subpoena and requests that I be notified if such objections are being raised. The requisite ten days have passed and I have received no notice of any such objection."

Upon receipt of these two letters, City Hospital will have received "satisfactory assurances" and will be able to release John Smith's health information in compliance with the requirements of both state law and the Privacy Standards. Again, City Hospital may also release health information with patient authorization.

Satisfactory assurances regarding a protective order

The person seeking by way of subpoena protected health information from a DPH-licensed hospital or clinic when the patient is named in the case caption has made "reasonable efforts" regarding securing a "qualified protective order" if the person has provided the hospital or clinic a written statement and accompanying documentation that:

1. Parties to the dispute giving rise to the request for information have agreed to qualified protective order and have presented it to the court, or

2. The person seeking the protected health information has requested a qualified protective order from the court

Under the Privacy Standards, a "qualified protective order" is an order of a court or of an administrative tribunal or a stipulation by the parties to the litigation that prohibits the parties from using or disclosing the health information for any purpose other than the litigation or proceeding for which such information was requested, and requires the return to the health care provider or destruction of the protected health information (including all copies made) at the end of the litigation or proceeding.

Patient is not a party to the proceeding as appearing in the case caption

If the patient is not a party to the proceeding as shown by the case caption appearing on the subpoena, the release provisions of G. L. c. 111, ß 70 do not apply. In this context, Massachusetts law requires the DPH-licensed hospital or clinic to receive patient authorization or a court order before releasing protected health information. Therefore, in this case, Massachusetts law is more protective of patient rights than the Privacy Standards, and a properly executed, HIPAA-compliant patient authorization or a court order will be required.

All other health care providers

The provisions of G. L. c. 111, ß 70 do not apply to health care providers that are not DPH-licensed hospitals or clinics. Massachusetts health care providers have a duty of confidentiality and generally must not disclose their patients' health information without their patients' consent (or a court order). See Alberts v. Devine, 395 Mass. 59, 68 (1985). Massachusetts law is thus more stringent than the Privacy Standards and health care providers that are not DPH-licensed hospitals or clinics must receive properly executed, HIPAA-compliant patient authorization or a court order before releasing patients' health information.

Privacy standards: Verification and authority

All covered health care providers must verify the identity and authority of a person requesting health information; however, a health care provider is not required to verify the identity of a patient authorizing disclosure of his or her information nor must it authenticate the patient's signature. A health care provider may rely on a subpoena, court order or other legal process to verify the authority of a public official to seek disclosure, if such reliance is reasonable. With respect to attorneys, we believe a similar process is acceptable. If the provider receives a subpoena, court order or other similar process and the attorney states in writing that he or she represents a party to the underlying lawsuit, we believe the health care provider may rely on such documentation (provided that such reliance is not unreasonable in the circumstances)

Privacy standards: Minimum necessary requirements

All health care providers must make a reasonable effort to disclose only the minimum amount of health information needed to accomplish the intended purpose of the disclosure. For example, a health care provider may not disclose the entire record, unless the entire record is the amount reasonably needed for the purpose or unless the entire record is requested or authorized by the patient. However, while health care providers are responsible for not disclosing more information than is needed or requested, they are not required to second guess the scope or purpose of a request or to resist because they believe the request is overbroad.

Summary

As health care providers adopt new procedures in response to the Privacy Standards, obtaining medical records and other health information may be more difficult and time-consuming than in the past. Obtaining appropriate patient authorization, when possible, will be the most efficient way to obtain health information. Absent patient consent, practitioners with an understanding of the new rules will be able to expedite the process by providing health care providers with the documents they need to release needed information.

©2014 Massachusetts Bar Association