Every time a subpoena for medical records arrives, it creates angst. The medical records custodian experiences pressure to release records from the moment he/she receives a call from the requesting attorney's office, often arguing about whether the subpoena provides enough authority to release the records.
A Connecticut Supreme Court case  is getting a lot of attention for allowing state negligence claims based on noncompliance with HIPAA standards. For health information management professionals, the case underscores the need to resist releasing clinical information merely on the basis of a subpoena or at the insistence of an attorney. The court ruled that state court pretrial practices must be HIPAA compliant and that HIPAA requirements extend to responses to subpoenas. The court cited HIPAA regulations, 45 C.F.R. § 164.512(e)(1)(ii), to reaffirm that a healthcare provider cannot transfer protected health information (PHI) to an outside entity without receiving satisfactory assurances that the person whose medical records are the subject of the subpoena has been given notice of the request. [45 C.F.R. §165.512(e)(1)(ii)(A)] Usually the subpoena includes some notice language. However, satisfactory assurances requires all of the following:
Thus, before the requested medical record can be released, the provider needs to make sure there are no objections from the affected individual.
Alternatively, a provider may release PHI if it receives satisfactory assurances from the party seeking the information that it has made reasonable efforts to secure a qualified protective order. [45 C.F.R. §165.512(e)(1)(ii)(B)] Satisfactory assurances requires:
Thus, it is not enough for the subpoena to include a statement that a protective order will be filed or to include draft language for the protective order. The party seeking the PHI needs to have filed the qualified protective order with the court.
Under the new CT Supreme Court case, any healthcare provider in Connecticut who fails to comply with the HIPAA requirements outlined above is now risking a lawsuit by the patient and possible damages for negligence and emotional distress under state law as well as a complaint and possible investigation for violation of HIPAA requirements.
A reasonable and simple best practice in responding to subpoenas for PHI is (1) call the person whose PHI is the subject of the subpoena, (2) inform him/her of the subpoena for PHI, and (3) request authorization to release the PHI. The person can agree to the release or not. If the person agrees, the medical records department can follow its normal process for release of PHI. If the person disagrees, the medical records department should not release the information and should inform the requesting attorney of the individual's objection to the release of his/her PHI. These communications, both call and response, should be documented. If there are questions about the application of the CT Supreme Court case, you should consult with a HIPAA attorney.
 Byrne v. Avery Ctr., 314 Conn. 433 (2014).
 A subpoena issued by an attorney or "officer of the court" is not the same as a subpoena issued by a judicial officer (usually a judge or a magistrate) or a grand jury, which would be considered a court order and allowed under 45 C.F.R. §165.612(f)(1)(ii).
On January 30, Jed Davis will speak at The Knowledge Group Webcast, "Best Strategies in Protecting Your Firm Against Hackers: What Hackers Can and Cannot Do?"
Theresa Kelly and Howard Fetner wrote an article, "AARP Lawsuit Puts EEOC In An Awkward Position," for Law360.
Jed Davis authored the article, "Cybersecurity for the Under-Resourced" for Bloomberg BNA.
On November 2, Susan Huntington and Eric Fader will be speaking at a webinar jointly sponsored by Day Pitney and Wolf & Co. "Business Associates Are Under a Microscope - Are You Prepared?"
On August 30, Susan Huntington was a speaker in the webcast "Medical Devices in Hospital Networks: Mitigating Risk in 2016" hosted by the Knowledge Group.
Eric Fader was quoted in an article, "Trump Era Likely Will Increase Collections From Patients But End MACRA," in Part B News. In the article, Fader discussed how an alternative plan for national health care reform offered by Speaker of the House Paul Ryan, called "A Better Way," might gain support if the Affordable Care Act (ACA) is repealed, in whole or in part.
Eric Fader was quoted in an article, "Unknown Future of ACA Puts Blues Plans In an Uncomfortable Spot Heading Into '17," published in The AIS Report on Blue Cross and Blue Shield Plans.
Eric Fader was quoted in an article, "Trump may maintain support for health IT, cut funds for HIPAA audits," in McKnight's Long Term Care News.
Eric Fader was quoted in an article, "Incoming Trump Administration May Mean Less Funding for HIPAA Audits," in Bloomberg BNA’s Health Care Fraud Report.
Eric Fader was quoted in an article, "Prior Defects Could Sink Auvi-Q Even As EpiPen Prices Soar," in Law360. In the article, Fader points out that with lawmakers and consumers calling for a competitor to challenge Mylan NV in the aftermath of the drugmaker's EpiPen price increases, potential competitor Kaléo Pharma has a "golden opportunity" with its updated version of the Auvi-Q epinephrine injector.