Step Away From That Subpoena and Review Your HIPAA Obligations

November 2014Articles Report on Patient Privacy

If you receive a subpoena, discovery request, or even a court order demanding the release or production of documents or files that may contain protected health information (PHI), are you obligated to comply? The surprising answer, in many cases, is “no.” Even more surprising may be the fact that, in attempting to comply with what appears to be a valid legal document, you may actually be violating federal law.

HIPAA regulations require, first and foremost, that covered entities, business associates, and their subcontractors protect the privacy and security of PHI they create, receive, maintain, or transmit. HIPAA regulations permit disclosure of PHI only under very specific circumstances, one of which includes disclosures for judicial and administrative procedures. Yet even this specific “judicial and administrative procedures” circumstance contains limits and, notably, permits, but does not require the disclosure. While other HIPAA regulations require disclosure under specific circumstances, the regulations specific to “judicial and administrative procedures” allow, but do not mandate, the disclosure. Recent inquiries about litigation matters that involve subpoenas, court orders, and PHI prompted me to list a few reasons to step back and carefully consider your HIPAA obligations before responding.